From 4d68503f6fdba1b7fbcb3315bef70e5695b7108b Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Mon, 11 Jan 2021 19:29:08 +0200
Subject: [PATCH 01/37] Protocol semantics

---
 multisig/protocol-correctness/.gitignore      |    4 +
 multisig/protocol-correctness/Makefile        |   33 +
 multisig/protocol-correctness/execution.k     |   10 +
 multisig/protocol-correctness/invariant.k     |  186 +++
 .../proof-configuration.k                     |   26 +
 multisig/protocol-correctness/pseudocode.k    | 1288 +++++++++++++++++
 .../tests/add-board-member.golden             |   70 +
 .../tests/add-board-member.msig               |    4 +
 .../tests/add-proposer.golden                 |   73 +
 .../tests/add-proposer.msig                   |    7 +
 .../tests/board-member-to-proposer.golden     |   70 +
 .../tests/board-member-to-proposer.msig       |    7 +
 .../tests/change-quorum.golden                |   70 +
 .../tests/change-quorum.msig                  |    7 +
 .../tests/discard-action.golden               |   67 +
 .../tests/discard-action.msig                 |    4 +
 .../tests/perform-discarded.golden            |   67 +
 .../tests/perform-discarded.msig              |    6 +
 .../tests/remove-user.golden                  |   69 +
 .../tests/remove-user.msig                    |    7 +
 .../protocol-correctness/tests/sc-call.golden |   67 +
 .../protocol-correctness/tests/sc-call.msig   |    4 +
 .../tests/sc-deploy.golden                    |   67 +
 .../protocol-correctness/tests/sc-deploy.msig |    4 +
 .../tests/send-egld.golden                    |   67 +
 .../protocol-correctness/tests/send-egld.msig |    4 +
 .../protocol-correctness/tests/sign.golden    |   73 +
 multisig/protocol-correctness/tests/sign.msig |    8 +
 .../tests/unsign-all.golden                   |   67 +
 .../tests/unsign-all.msig                     |    3 +
 30 files changed, 2439 insertions(+)
 create mode 100644 multisig/protocol-correctness/.gitignore
 create mode 100644 multisig/protocol-correctness/Makefile
 create mode 100644 multisig/protocol-correctness/execution.k
 create mode 100644 multisig/protocol-correctness/invariant.k
 create mode 100644 multisig/protocol-correctness/proof-configuration.k
 create mode 100644 multisig/protocol-correctness/pseudocode.k
 create mode 100644 multisig/protocol-correctness/tests/add-board-member.golden
 create mode 100644 multisig/protocol-correctness/tests/add-board-member.msig
 create mode 100644 multisig/protocol-correctness/tests/add-proposer.golden
 create mode 100644 multisig/protocol-correctness/tests/add-proposer.msig
 create mode 100644 multisig/protocol-correctness/tests/board-member-to-proposer.golden
 create mode 100644 multisig/protocol-correctness/tests/board-member-to-proposer.msig
 create mode 100644 multisig/protocol-correctness/tests/change-quorum.golden
 create mode 100644 multisig/protocol-correctness/tests/change-quorum.msig
 create mode 100644 multisig/protocol-correctness/tests/discard-action.golden
 create mode 100644 multisig/protocol-correctness/tests/discard-action.msig
 create mode 100644 multisig/protocol-correctness/tests/perform-discarded.golden
 create mode 100644 multisig/protocol-correctness/tests/perform-discarded.msig
 create mode 100644 multisig/protocol-correctness/tests/remove-user.golden
 create mode 100644 multisig/protocol-correctness/tests/remove-user.msig
 create mode 100644 multisig/protocol-correctness/tests/sc-call.golden
 create mode 100644 multisig/protocol-correctness/tests/sc-call.msig
 create mode 100644 multisig/protocol-correctness/tests/sc-deploy.golden
 create mode 100644 multisig/protocol-correctness/tests/sc-deploy.msig
 create mode 100644 multisig/protocol-correctness/tests/send-egld.golden
 create mode 100644 multisig/protocol-correctness/tests/send-egld.msig
 create mode 100644 multisig/protocol-correctness/tests/sign.golden
 create mode 100644 multisig/protocol-correctness/tests/sign.msig
 create mode 100644 multisig/protocol-correctness/tests/unsign-all.golden
 create mode 100644 multisig/protocol-correctness/tests/unsign-all.msig

diff --git a/multisig/protocol-correctness/.gitignore b/multisig/protocol-correctness/.gitignore
new file mode 100644
index 000000000..e29a5c64e
--- /dev/null
+++ b/multisig/protocol-correctness/.gitignore
@@ -0,0 +1,4 @@
+*.timestamp
+*-kompiled
+*.cmp
+.krun-*
\ No newline at end of file
diff --git a/multisig/protocol-correctness/Makefile b/multisig/protocol-correctness/Makefile
new file mode 100644
index 000000000..9e736d1cc
--- /dev/null
+++ b/multisig/protocol-correctness/Makefile
@@ -0,0 +1,33 @@
+TESTS = $(wildcard tests/*.golden)
+TEST_COMPARISON = ${TESTS:.golden=.cmp}
+TEST_GOLDEN = ${TESTS:=.make}
+
+CHECK_RESULT_RUN = if [ $$? -eq 0 ] ; then echo "passed $<"; mv $@.tmp $@; else echo "failed $<"; cat $@.tmp; exit 1; fi
+
+.PRECIOUS: tests/*.out
+
+execution.timestamp: execution.k *.k
+	@echo "Compiling $<"
+	@kompile $< --backend haskell
+	@touch execution.timestamp
+
+test: ${TEST_COMPARISON}
+
+tests/%.cmp: tests/%.out tests/%.golden
+	@echo "Comparing $^... "
+	@diff --strip-trailing-cr $^ > $@.tmp 2>&1; ${CHECK_RESULT_RUN}
+
+tests/%.out: tests/%.msig execution.timestamp
+	@echo "Running $<"
+	@krun $< > $@ 2>&1
+
+golden: ${TEST_GOLDEN}
+
+tests/%.golden.make: tests/%.msig execution.timestamp
+	@echo "Running $<"
+	@krun $< > tests/$*.golden 2>&1
+
+clean:
+	-rm *.timestamp tests/*.out tests/*.cmp
+	-rm -r execution-kompiled
+	-rm -r .krun*
diff --git a/multisig/protocol-correctness/execution.k b/multisig/protocol-correctness/execution.k
new file mode 100644
index 000000000..d4013327d
--- /dev/null
+++ b/multisig/protocol-correctness/execution.k
@@ -0,0 +1,10 @@
+require "pseudocode.k"
+
+module EXECUTION-SYNTAX
+  imports PSEUDOCODE-SYNTAX
+endmodule
+
+module EXECUTION
+  imports EXECUTION-SYNTAX
+  imports PSEUDOCODE
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/invariant.k b/multisig/protocol-correctness/invariant.k
new file mode 100644
index 000000000..f61280770
--- /dev/null
+++ b/multisig/protocol-correctness/invariant.k
@@ -0,0 +1,186 @@
+module INVARIANT-SYNTAX
+  imports PROOF-CONFIGURATION
+
+  syntax Bool ::= invariant(MultisigState, ProofState)  [function]
+endmodule
+
+module INVARIANT
+  imports PROOF-CONFIGURATION
+
+  rule invariant(NoState) => true
+  rule invariant(
+          multisigState(
+              U:Users,
+              B:BoardState,
+              actionState(ActionLastIndex:usize, Actions:Actions)),
+          proofState(AL:ActionLog, VL:VoteLog, UL:UserLog))
+      => true
+        // non-empty board, board members >= quorum
+        andBool canVote(U, B)
+        andBool canPropose()
+        // at execution time, an action was signed by at least 'quorum'
+        // board members.
+        // TODO: If a user votes, is removed, is re-added, should the vote count?
+        // TODO: There is a weird thing about removing an action by removing the
+        // last signature, which, practically, performs an action without votes.
+        andBool allExecutedActionsWereAddedThenSigned()
+        // TODO: Do I need these?
+        andBool eachProposedActionGetsNewId()
+        andBool eachNewUserGetsANewId()
+        andBool stateReflectsActions()
+        // consistency checks - TODO: Which of them do I need?
+        andBool realVotesCorrespondToLog(RealVotes, AL, VL, UL)
+        // cineva nu poate bloca
+        // gazul creste liniar cu nr de board_memberi
+        // ultima persoana sa nu poata pleca.
+
+  syntax Bool ::= canVote(MasterLog)  [function]
+  // Normally I should also check that the board users are valid users.
+  // Also, I should not use the cached quorum, but the actual one.
+  rule canVote(MasterLog)
+      => true
+        andBool computeQuorum(MasterLog) <=Int computeBoardSize(MasterLog)
+        andBool 0 <Int computeBoardSize(MasterLog)
+
+  syntax Bool ::= canPropose(MasterLog)  [function]
+  rule canPropose(MasterLog)
+      => false
+        orBool 0 <Int computeProposerCount(MasterLog)
+        orBool 0 <Int computeBoardSize(MasterLog)
+
+  syntax Bool ::= allExecutedActionsWereAddedThenSigned(MasterLog)  [function]
+  rule allExecutedActionsWereAddedThenSigned(.List) => true
+  rule allExecutedActionsWereAddedThenSigned(MasterLog:List A:Action)
+      => allExecutedActionsWereAddedThenSigned(MasterLog:List)
+    requires notBool isExecution(A)
+  rule allExecutedActionsWereAddedThenSigned(MasterLog:List Execute(ActionId))
+      => true
+        andBool allExecutedActionsWereAddedThenSigned(MasterLog:List)
+        andBool computeQuorum(MasterLog) <=Int computeValidVotesCount(ActionId, MasterLog)
+
+  syntax Int ::= computeBoardSize(MasterLog)  [function]
+  rule computeBoardSize(MasterLog Execute(AddBoardMember(X)))
+      => computeBoardSize(MasterLog)
+    requires boardAlreadyContains(MasterLog, X)
+  rule computeBoardSize(MasterLog Execute(AddBoardMember(X)))
+      => computeBoardSize(MasterLog) + 1
+    requires notBool boardAlreadyContains(MasterLog, X)
+  rule computeBoardSize(MasterLog Execute(AddProposer(X)))
+      => computeBoardSize(MasterLog) -Int 1
+    requires boardAlreadyContains(MasterLog, X)
+  rule computeBoardSize(MasterLog Execute(AddProposer(X)))
+      => computeBoardSize(MasterLog)
+    requires notBool boardAlreadyContains(MasterLog, X)
+  rule computeBoardSize(MasterLog Execute(RemoveUser(X)))
+      => computeBoardSize(MasterLog) -Int 1
+    requires boardAlreadyContains(MasterLog, X)
+  rule computeBoardSize(MasterLog Execute(RemoveUser(X)))
+      => computeBoardSize(MasterLog)
+    requires notBool boardAlreadyContains(MasterLog, X)
+  rule computeQuorum(MasterLog A) => computeQuorum(MasterLog)  [owise]
+
+  syntax Bool ::= boardAlreadyContains(MasterLog, UserId)  [function]
+  rule boardAlreadyContains(MasterLog Execute(RemoveUser(UserId)), UserId) => false
+  rule boardAlreadyContains(MasterLog Execute(AddProposer(UserId)), UserId) => false
+  rule boardAlreadyContains(MasterLog Execute(AddBoardMember(UserId)), UserId) => true
+  rule boardAlreadyContains(MasterLog _, UserId) => boardAlreadyContains(MasterLog, UserId)
+
+  syntax Int ::= computeQuorum(MasterLog)  [function]
+  rule computeQuorum(MasterLog Execute(ChangeQuorum(X))) => X
+  rule computeQuorum(MasterLog A) => computeQuorum(MasterLog)
+    requires notBool isChangeQuorum(MasterLog, A)
+
+  syntax Int ::= computeProposerCount(MasterLog)  [function]
+  rule computeProposerCount(MasterLog Execute(AddProposer(X)))
+      => computeProposerCount(MasterLog)
+    requires isAlreadyProposer(MasterLog, X)
+  rule computeProposerCount(MasterLog Execute(AddProposer(X)))
+      => computeProposerCount(MasterLog) + 1
+    requires notBool isAlreadyProposer(MasterLog, X)
+  rule computeProposerCount(MasterLog Execute(RemoveUser(X)))
+      => computeProposerCount(MasterLog) - 1
+    requires isAlreadyProposer(MasterLog, X)
+  rule computeProposerCount(MasterLog Execute(RemoveUser(X)))
+      => computeProposerCount(MasterLog)
+    requires notBool isAlreadyProposer(MasterLog, X)
+
+
+  syntax Bool ::= isAlreadyProposer(MasterLog, UserId)  [function]
+  rule isAlreadyProposer(MasterLog Execute(RemoveUser(UserId)), UserId) => false
+  rule isAlreadyProposer(MasterLog Execute(AddProposer(UserId)), UserId) => true
+  rule isAlreadyProposer(MasterLog Execute(AddBoardMember(UserId)), UserId) => false
+  rule isAlreadyProposer(MasterLog _, UserId) => isAlreadyProposer(MasterLog, UserId)
+
+  // What I really want is card({x | x is a board member & last_vote_action(x, A) = "vote(A)"})
+  syntax Int ::= computeValidVotesCount(ActionId, MasterLog)  [function]
+  rule computeValidVotesCount(Action, MasterLog Execute(RemoveUser(X)))
+      => computeValidVotesCount(Action, MasterLog) - 1
+    requires userHasSigned(X, Action, MasterLog) andBool actionExists(Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(RemoveUser(X)))
+      => computeValidVotesCount(Action, MasterLog)
+    requires notBool userHasSigned(X, Action, MasterLog) andBool actionExists(Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(AddProposer(X)))
+      => computeValidVotesCount(Action, MasterLog) - 1
+    requires userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(AddProposer(X)))
+      => computeValidVotesCount(Action, MasterLog)
+    requires notBool userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(AddBoardMember(X)))
+      => computeValidVotesCount(Action, MasterLog) + 1
+    requires userHasSignature(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(AddBoardMember(X)))
+      => computeValidVotesCount(Action, MasterLog)
+    requires notBool userHasSignature(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(unsign(X, Action)))
+      => computeValidVotesCount(Action, MasterLog) - 1
+    requires userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(unsign(X, Action)))
+      => computeValidVotesCount(Action, MasterLog)
+    requires notBool userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
+      => computeValidVotesCount(Action, MasterLog) + 1
+    requires boardAlreadyContains(X, MasterLog)
+      andBool notBool userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
+      => computeValidVotesCount(Action, MasterLog)
+    requires boardAlreadyContains(X, MasterLog)
+      andBool userHasSigned(X, Action, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
+      => stuck
+    requires notBool boardAlreadyContains(X, MasterLog)
+  rule computeValidVotesCount(Action, MasterLog _) => computeValidVotesCount(Action, MasterLog)
+
+  syntax Bool ::= userHasSigned(UserId, ActionId, MasterLog)
+  rule userHasSigned(UserId, ActionId, MasterLog)
+      =>  boardAlreadyContains(UserId, MasterLog)  // TODO: Use "userCanVote"
+          andBool userHasSignature(UserId, ActionId, MasterLog)
+
+  syntax Bool ::= userHasSignature(UserId, ActionId, MasterLog)
+  rule userHasSignature(UserId, ActionId, MasterLog Execute(unsign(UserId, ActionId)))
+      => false
+  rule userHasSignature(UserId, ActionId, MasterLog Execute(sign(UserId, ActionId)))
+      => true
+  rule userHasSignature(UserId, ActionId, MasterLog _)
+      => userHasSignature(UserId, ActionId, MasterLog)  [owise]
+
+  /*
+  syntax Bool ::= eachProposedActionGetsNewId(MasterLog)  [owise]
+  rule eachProposedActionGetsNewId(MasterLog Execute(AddAction(X)))
+  */
+
+  syntax Bool ::= stateReflectsActions(State, MasterLog)  [function]
+  rule stateReflectsActions() => true
+        // consistency checks - TODO: Which of them do I need?
+        andBool userRoleReflectsActions()
+        andBool quorumReflectsActions()
+        // both the board and the board size
+        andBool boardReflectsActions()
+        andBool proposerCountReflectsActions()
+        andBool usersReflectActions()
+        andBool votesAreValid()
+
+        andBool lastIndexIsMaxUsed(ActionLastIndex, AL)
+        andBool actionsCorrespondToLog(Actions, AL)
+        andBool votesCorrespondToLog(Actions, VL)
+        andBool usersCorrespondToLog(Users, UL)
+endmodule
diff --git a/multisig/protocol-correctness/proof-configuration.k b/multisig/protocol-correctness/proof-configuration.k
new file mode 100644
index 000000000..a0242a2b5
--- /dev/null
+++ b/multisig/protocol-correctness/proof-configuration.k
@@ -0,0 +1,26 @@
+module PROOF-CONFIGURATION
+  imports CONFIGURATION
+
+  syntax ActionLogEntry ::= logPropose(usize) | logPerform(usize) | logDiscard(usize)
+  syntax ActionLog ::= actionLog(List)  // list of ActionLogEntry
+
+  syntax VoteLogEntry ::= logSign(usize) | logUnsign(usize)
+  syntax VoteLog ::= actionLog(List)  // list of ActionLogEntry
+
+  syntax UserLogEntry ::= logAddBoardMember(Address?)
+                      |   logAddProposer(Address?)
+                      |   logRemoveUser(Address?)
+  syntax UserLog ::= List(UserLogEntry)
+
+  syntax ProofState ::= proofState(ActionLog, VoteLog, UserLog)
+
+  syntax KItem ::= log(Command)
+
+  rule start(Command) => run(Command) ~> log(Command)  [priority(??25)]
+  rule error ~> log(Command) => .K  [priority(25)]
+
+  configuration <T>
+    <proof-state> proofState(actionLog(.List), voteLog(.List), ...) </proof-state>
+  </T>
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
new file mode 100644
index 000000000..61d856214
--- /dev/null
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -0,0 +1,1288 @@
+module PSEUDOCODE-SYNTAX
+  imports INT
+  imports LIST
+  imports STRING
+
+  syntax CodeMetadata ::= "CodeMetadata::DEFAULT"     [function]
+                      |   "CodeMetadata::UPGRADEABLE" [function]
+                      |   "CodeMetadata::PAYABLE"     [function]
+                      |   "CodeMetadata::READABLE"    [function]
+
+  syntax Usize ::= u(Int)  // TODO: int32
+  syntax BigUint ::= big(Int)  // Assumes no operations on this.
+  syntax CodeMetadata ::= meta(Int)  // Assumes no operations on this.
+  syntax UserRole ::= "None" | "Proposer" | "BoardMember"
+  syntax BoxedBytes ::= bytes(String)
+  syntax Address ::= address(Int)
+  syntax Action ::= "Nothing"
+                |   AddBoardMember(Address)
+                |   AddProposer(Address)
+                |   RemoveUser(Address)
+                |   ChangeQuorum(Usize)
+                |   SendEgld(to: Address, amount: BigUint, data: BoxedBytes)
+                |   SCDeploy(
+                        amount: BigUint,
+                        code: BoxedBytes,
+                        codeMetadata: CodeMetadata,
+                        arguments: ExpressionList)  // list of BoxedBytes
+                |   SCCall(
+                        to: Address,
+                        amount: BigUint,
+                        function: BoxedBytes,
+                        arguments: ExpressionList)  // list of BoxedBytes
+
+  syntax Variable ::= r"[A-Za-z_][A-Za-z_0-9]*" [token]
+  syntax Variable ::= "action"        [token]
+                  |   "action_id"     [token]
+                  |   "address"       [token]
+                  |   "caller"        [token]
+                  |   "caller_id"     [token]
+                  |   "caller_role"   [token]
+                  |   "code_metadata" [token]
+                  |   "data"          [token]
+                  |   "gas_left"      [token]
+                  |   "i"             [token]
+                  |   "new_address"   [token]
+                  |   "quorum"        [token]
+                  |   "user_id"       [token]
+                  |   "result"        [token]
+
+  syntax ExternalCommands ::= ExternalCommand
+                          |   ExternalCommand ExternalCommands
+  syntax ExternalCommand  ::= "from" Address "run" EndpointCall ";"
+
+  syntax Block ::= "{" Instructions "}"
+  syntax Instructions ::= Instruction
+                      |   Instruction Instructions
+  syntax Instruction  ::= "require" "(" Expression ")" ";"
+                      |   Variable "=" Expression ";"
+                      |   "if" "(" Expression ")" Block               [avoid]
+                      |   "if" "(" Expression ")" Block "else" Block  [prefer]
+                      |   "for" "(" index:Variable "," value:Variable ")" "in" Expression Block
+                      |   Expression ";"
+                      |   "ok" "(" Expression ")" ";"
+  syntax Value  ::= Usize
+                |   "void"
+                |   Bool
+                |   UserRole
+                |   Address
+                |   BoxedBytes
+                |   BigUint
+                |   CodeMetadata
+  syntax Expression ::= FunctionCall
+                    |   Variable
+                    |   ExpressionList
+                    |   Action
+                    |   Value
+                    |   Expression "+" Expression
+                    |   Expression "-" Expression
+                    |   Expression "|" Expression
+                    >   Expression "==" Expression
+                    |   Expression "<=" Expression
+                    |   Expression ">" Expression
+                    |   "!" Expression
+
+  syntax ExpressionCSV  ::= "."
+                        |   Expression "," ExpressionCSV
+
+  syntax ArgumentCSV  ::= Expression
+                      |   Expression "," ArgumentCSV
+
+  syntax ExpressionList ::= "[" ExpressionCSV "]"
+
+  syntax FunctionCall ::= FunctionTag "(" ")"
+                      |   FunctionTag "(" ArgumentCSV ")"
+
+  syntax FunctionTag  ::= "proposeAction"             // (action)
+                      |   "setQuorum"                 // (quorum)
+                      |   "setActionLastIndex"        // (index)
+                      |   "setActionData"             // (action_id, action)
+                      |   "setActionSignerIDs"        // (action_id, signer_list)
+                      |   "setNumBoardMembers"        // (usize)
+                      |   "setNumProposers"           // (usize)
+                      |   "setNumUsers"               // (usize)
+                      |   "setUserId"                 // (address, user_id)
+                      |   "setUserAddress"            // (user_id, address)
+                      |   "setUserIdToRole"           // (user_id, role)
+                      |   "getActionData"             // (action_id)
+                      |   "getActionSignerIds"        // (action_id)
+                      |   "getActionValidSignerCount" // (action_id)
+                      |   "getCaller"                 // ()
+                      |   "getNumBoardMembers"        // ()
+                      |   "getNumProposers"           // ()
+                      |   "getNumUsers"               // ()
+                      |   "getOrCreateUser"           // (address)
+                      |   "getUserId"                 // (address)
+                      |   "getUserIdToRole"           // (user_id)
+                      |   "getActionLastIndex"        // ()
+                      |   "getQuorum"                 // ()
+                      |   "getGasLeft"                // ()
+                      |   "deployContract"            // (gas_left, amount, code, code_metadata, arguments)
+                      |   "userRoleCanPropose"        // (user_role)
+                      |   "userRoleCanSign"           // (user_role)
+                      |   "userRoleCanPerformAction"  // (user_role)
+                      |   "userRoleCanDiscardAction"  // (user_role)
+                      |   "listContains"              // ([list], Usize)
+                      |   "listFind"                  // ([list], Usize)
+                      |   "listLen"                   // ([list])
+                      |   "listSwapRemove"            // ([list])
+                      |   "isEmptyList"               // ([list])
+                      |   "pushList"                  // ([list], Usize)
+                      |   "isEmptyActionData"         // (action_id)
+                      |   "canSign"                   // (user_id)
+                      |   "performAction"             // (action_id)
+                      |   "performActionFromId"       // (action_id)
+                      |   "quorumReached"             // (action_id)
+                      |   "clearAction"               // (action_id)
+                      |   "changeUserRole"            // (user_id, user_role)
+                      |   "countCanSign"              // ([list])
+                      |   "sendTx"                    // (address, amount, data)
+                      |   "asyncCall"                 // (address, amount, [data])
+                      |   EndpointTag
+
+  syntax EndpointCall ::= EndpointTag "(" ")"
+                      |   EndpointTag "(" ArgumentCSV ")"
+
+  syntax EndpointTag  ::= "init"                // (quorum, board)
+                      |   "proposeAddBoardMember"  // (user_id)
+                      |   "proposeAddProposer"  // (user_id)
+                      |   "proposeRemoveUser"  // (user_id)
+                      |   "proposeChangeQuorum"  // (quorum)
+                      |   "proposeSendEgld"  // (address, amount, args)
+                      |   "proposeSCDeploy"  // (amount, code, upgradeable, payable, readable, args)
+                      |   "proposeSCCall"  // (to_address, amount, function, args)
+                      |   "sign"  // (action_id)
+                      |   "unsign"  // (action_id)
+                      |   "performActionEndpoint"  // (action_id)
+                      |   "discardAction"   // (action_id)
+
+  syntax KItem ::= runExternalCalls(ExternalCommands)
+  syntax KItem ::= runExternalCall(ExternalCommand)
+  syntax KItem ::= runPseudoCode(Instructions)
+  syntax KItem ::= runInstruction(Instruction)
+  syntax KItem ::= evaluate(Expression)
+  syntax KItem ::= evaluateEc(ExpressionCSV)
+  syntax KItem ::= evaluateAc(ArgumentCSV)
+
+endmodule
+
+module PSEUDOCODE
+  imports PSEUDOCODE-CONFIGURATION
+  imports PSEUDOCODE-DETAILS
+  imports PSEUDOCODE-EXPRESSION
+  imports PSEUDOCODE-EXTERNAL
+  imports PSEUDOCODE-FOR
+  imports PSEUDOCODE-FUNCTIONS
+  imports PSEUDOCODE-IF
+  imports PSEUDOCODE-INSTRUCTIONS
+  imports PSEUDOCODE-MEMORY
+  imports PSEUDOCODE-SYNTAX
+endmodule
+
+module PSEUDOCODE-TYPE-REFLECTION
+  imports MAYBE
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  syntax ReflectionType ::= "rUsize"
+                        | "rUserRole"
+                        | "rExpressionList"
+                        | "rBool"
+                        | "rAction"
+                        | "rAddress"
+                        | "rBoxedBytes"
+                        | "rBigUint"
+                        | "rCodeMetadata"
+
+  syntax KItem ::= cast(KItem, ReflectionType)  [strict(1)]
+
+  /*
+  rule cast(nothing, _:ReflectionType) => nothing
+  rule cast(just(K:KItem) => K, _:ReflectionType)
+  */
+
+  rule cast(value(K:KItem) => K, _:ReflectionType)
+
+  rule cast(U:Usize, rUsize) => U
+  rule (.K => stuck) ~> cast(V:KItem, rUsize)
+    ensures notBool isUsize(V)
+    [owise]
+
+  rule cast(U:UserRole, rUserRole) => U
+  rule (.K => stuck) ~> cast(V:KItem, rUserRole)
+    ensures notBool isUserRole(V)
+    [owise]
+
+  rule cast(V:ExpressionList, rExpressionList) => V
+  rule (.K => stuck) ~> cast(V:KItem, rExpressionList)
+    ensures notBool isExpressionList(V)
+    [owise]
+
+  rule cast(A:Action, rAction) => A
+  rule (.K => stuck) ~> cast(V:KItem, rAction)
+    ensures notBool isAction(V)
+    [owise]
+
+  rule cast(A:Address, rAddress) => A
+  rule (.K => stuck) ~> cast(V:KItem, rAddress)
+    ensures notBool isAddress(V)
+    [owise]
+
+  syntax KItem ::= defaultValue(ReflectionType)  [function, functional]
+  rule defaultValue(rUsize) => u(0)
+  rule defaultValue(rUserRole) => None
+  rule defaultValue(rExpressionList) => [.]
+  rule defaultValue(rBool) => false
+  rule defaultValue(rAction) => Nothing
+  rule defaultValue(rAddress) => address(0)
+  rule defaultValue(rBoxedBytes) => bytes("")
+  rule defaultValue(rBigUint) => big(0)
+  rule defaultValue(rCodeMetadata) => CodeMetadata::DEFAULT
+
+  syntax Bool ::= isDefaultValue(KItem, ReflectionType)  [function, functional]
+  rule isDefaultValue(K:KItem, T:ReflectionType) => K ==K defaultValue(T)
+    [owise]  // allow overriding
+
+  syntax Bool ::= valueOfType(KItem, ReflectionType)  [function, functional]
+  rule valueOfType(V:KItem, rUsize) => isUsize(V)
+  rule valueOfType(V:KItem, rUserRole) => isUserRole(V)
+  rule valueOfType(V:KItem, rExpressionList) => isExpressionList(V)
+  rule valueOfType(V:KItem, rBool) => isBool(V)
+  rule valueOfType(V:KItem, rAction) => isAction(V)
+  rule valueOfType(V:KItem, rAddress) => isAddress(V)
+  rule valueOfType(V:KItem, rBoxedBytes) => isBoxedBytes(V)
+  rule valueOfType(V:KItem, rBigUint) => isBigUint(V)
+  rule valueOfType(V:KItem, rCodeMetadata) => isCodeMetadata(V)
+endmodule
+
+module PSEUDOCODE-INSTRUCTIONS
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-CONFIGURATION
+  imports PSEUDOCODE-SYNTAX
+
+  rule runPseudoCode(I:Instruction) => runInstruction(I)
+  rule runPseudoCode(I:Instruction Is:Instructions)
+      => runInstruction(I) ~> runPseudoCode(Is)
+
+  rule  <k> error ~> (runPseudoCode(_) => .K) ...</k>
+  //       <stack> ListItem(_) ... </stack>
+  // rule  <k> error ~> (runPseudoCode(_) => .K) ...</k>
+  //       <stack> .List </stack>
+  rule  <k> error => .K </k>
+        <stack> .List </stack>
+
+  rule runInstruction(E:Expression;) => evaluate(E)
+  rule (evaluate(E:Expression) => .K) ~> runInstruction(_)
+    requires isKResult(E)
+  rule (evaluate(E:Expression) => .K) ~> runPseudoCode(_)
+    requires isKResult(E)
+
+  context runInstruction(require({HOLE:Expression => evaluate(HOLE)}:>Expression);)
+  rule runInstruction(require(true);) => evaluate(void)
+  rule runInstruction(require(false);) => error
+endmodule
+
+module PSEUDOCODE-EXTERNAL
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-CONFIGURATION
+  imports PSEUDOCODE-SYNTAX
+
+  rule runExternalCalls(C:ExternalCommand) => runExternalCall(C)
+  rule runExternalCalls(C:ExternalCommand Cs:ExternalCommands)
+      => runExternalCall(C) ~> runExternalCalls(Cs)
+
+  syntax KItem ::= "clearExternalCallEnv"
+  rule  <k> clearExternalCallEnv => .K ... </k>
+        <caller-address> _ => uninitialized </caller-address>
+
+  rule (evaluate(E:Expression) => .K) ~> clearExternalCallEnv
+    requires isKResult(E)
+
+  rule (E:Expression => .K) ~> clearExternalCallEnv
+    requires isKResult(E)
+
+  rule  <k> (error => .K) ~> clearExternalCallEnv ...</k>
+
+  syntax KItem ::= endpointToInstruction(EndpointCall)
+  rule endpointToInstruction(Tag:EndpointTag()) => runInstruction(Tag();)
+  rule endpointToInstruction(Tag:EndpointTag(Es:ArgumentCSV)) => runInstruction(Tag(Es);)
+
+  rule  <k>
+            runExternalCall(from A:Address run Call:EndpointCall;)
+            => endpointToInstruction(Call) ~> clearExternalCallEnv
+        ...</k>
+        <caller-address> uninitialized => A </caller-address>
+
+endmodule
+
+module PSEUDOCODE-MEMORY
+  imports MAP-UTILS
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-CONFIGURATION
+  imports PSEUDOCODE-SYNTAX
+
+  context runInstruction(_:Variable = {HOLE => evaluate(HOLE)}:>Expression;)
+
+  rule  <k> (runInstruction(V:Variable = E:Expression;) => evaluate(void)) ...</k>
+        <variables> M:Map => M[V <- E] </variables>
+    requires isKResult(E)
+
+  rule  <k> evaluate(V:Variable => {M[V]}:>Expression) ... </k>
+        <variables> M:Map </variables>
+    requires V in_keys(M)
+endmodule
+
+module PSEUDOCODE-FOR
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  syntax Instruction ::= "for" "(" indexVar:Variable "=" value:Usize "," valueVar:Variable ")" "in" ExpressionList Block
+
+  context runInstruction(for(_:Variable, _:Variable) in {HOLE:Expression => evaluate(HOLE)}:>Expression _:Block)
+  rule runInstruction(for(Index:Variable, Value:Variable) in (L:ExpressionList) B:Block)
+        => runInstruction(for(Index = u(0), Value) in L B)
+    requires isKResult(L)
+
+  rule runInstruction(for(_:Variable = _:Usize, _:Variable) in [.] _:Block)
+        => evaluate(void)
+  rule runInstruction(
+          for (IndexVar:Variable = u(Index:Int), ValueVar:Variable)
+              in [E:Expression, Es:ExpressionCSV]
+              {B:Instructions}
+        )
+        =>  runPseudoCode(IndexVar = u(Index); ValueVar = E; B)
+            ~> runInstruction(for(IndexVar = u(Index +Int 1), ValueVar) in [Es:ExpressionCSV] {B})
+endmodule
+
+module PSEUDOCODE-IF
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  context runInstruction(if({HOLE:Expression => evaluate(HOLE)}:>Expression) _:Block)
+  context runInstruction(if({HOLE:Expression => evaluate(HOLE)}:>Expression) _:Block else _:Block)
+
+  rule runInstruction(if(true) {Is:Instructions}) => runPseudoCode(Is)
+  rule runInstruction(if(false) _:Block) => evaluate(void)
+
+  rule runInstruction(if(true) {Is:Instructions} else _:Block) => runPseudoCode(Is)
+  rule runInstruction(if(false) _:Block else {Is:Instructions}) => runPseudoCode(Is)
+endmodule
+
+module PSEUDOCODE-EXPRESSION
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  rule add(u(A:Int), u(B:Int)) => u(A +Int B)
+  rule sub(u(A:Int), u(B:Int)) => u(A -Int B)
+
+  context evaluate(! {HOLE:Expression => evaluate(HOLE)}:>Expression)
+  rule evaluate((! false) => true)
+  rule evaluate((! true) => false)
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression <= _:Expression)
+  context evaluate(A:Expression <= {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate((u(A:Int) <= u(B:Int)) => (A <=Int B))
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression > _:Expression)
+  context evaluate(A:Expression > {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate((u(A:Int) > u(B:Int)) => (A >Int B))
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression == _:Expression)
+  context evaluate(A:Expression == {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate((A:Expression == B:Expression) => (A ==K B))
+    requires isKResult(A) andBool isKResult(B)
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression + _:Expression)
+  context evaluate(A:Expression + {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate(A:Usize + B:Usize => add(A, B))
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression - _:Expression)
+  context evaluate(A:Expression - {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate(A:Usize - B:Usize => sub(A, B))
+
+  context evaluate({HOLE:Expression => evaluate(HOLE)}:>Expression | _:Expression)
+  context evaluate(A:Expression | {HOLE:Expression => evaluate(HOLE)}:>Expression) requires isKResult(A)
+  rule evaluate((u(A:Int) | u(B:Int)) => u(A |Int B))
+  rule evaluate((meta(A:Int) | meta(B:Int)) => meta(A |Int B))
+
+  context evaluate([{HOLE:ExpressionCSV => evaluateEc(HOLE)}:>ExpressionCSV])
+endmodule
+
+module PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  syntax KResult ::= Value
+
+  rule CodeMetadata::DEFAULT      => meta(0)
+  rule CodeMetadata::UPGRADEABLE  => meta(1 <<Int 8)
+  rule CodeMetadata::PAYABLE      => meta(1 <<Int 1)
+  rule CodeMetadata::READABLE     => meta(1 <<Int 10)
+
+  syntax KItem ::= "error"
+  syntax KItem ::= "stuck"
+  syntax Usize ::= add(Usize, Usize)  [function, functional]
+  syntax Usize ::= sub(Usize, Usize)  [function, functional]
+
+  syntax KItem ::= "removeValue"
+  rule (E:Expression ~> removeValue) => .K
+    requires isKResult(E)
+endmodule
+
+module PSEUDOCODE-DETAILS
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-SYNTAX
+
+  context evaluateAc({HOLE:Expression => evaluate(HOLE)}:>ArgumentCSV)
+  context evaluateAc({HOLE:Expression => evaluate(HOLE)}:>Expression , _:ArgumentCSV)
+  context evaluateAc(E:Expression , {HOLE:ArgumentCSV => evaluateAc(HOLE)}:>ArgumentCSV)
+    requires isKResult(E)
+
+  context evaluateEc({HOLE:Expression => evaluate(HOLE)}:>Expression , _:ExpressionCSV)
+  context evaluateEc(E:Expression , {HOLE:ExpressionCSV => evaluateEc(HOLE)}:>ExpressionCSV)
+    requires isKResult(E)
+
+  rule isKResult(E:Expression , Es:ArgumentCSV) => isKResult(E) andBool isKResult(Es)
+
+  rule isKResult(.:ExpressionCSV) => true
+  rule isKResult(E:Expression , Es:ExpressionCSV) => isKResult(E) andBool isKResult(Es)
+
+  rule isKResult([Es:ExpressionCSV]) => isKResult(Es)
+
+  rule isKResult(A:Action) => isKResultAction(A)
+
+  syntax Bool ::= isKResultAction(Action)  [function, functional]
+
+  rule isKResultAction(Nothing) => true
+  rule isKResultAction(AddBoardMember(A:Address)) => isKResult(A)
+  rule isKResultAction(AddProposer(A:Address)) => isKResult(A)
+  rule isKResultAction(RemoveUser(A:Address)) => isKResult(A)
+  rule isKResultAction(ChangeQuorum(U:Usize)) => isKResult(U)
+  rule  isKResultAction(SendEgld(To:Address, Amount:BigUint, Data:BoxedBytes))
+        => isKResult(To) andBool isKResult(Amount) andBool isKResult(Data)
+  rule  isKResultAction(SCDeploy(
+                        Amount:BigUint,
+                        Code:BoxedBytes,
+                        CodeMetadata:CodeMetadata,
+                        Arguments:ExpressionList))
+        => isKResult(Amount)
+            andBool isKResult(Code)
+            andBool isKResult(CodeMetadata)
+            andBool isKResult(Arguments)
+  rule isKResultAction(SCCall(
+                        To:Address,
+                        Amount:BigUint,
+                        Function:BoxedBytes,
+                        Arguments:ExpressionList))
+        => isKResult(To)
+            andBool isKResult(Amount)
+            andBool isKResult(Function)
+            andBool isKResult(Arguments)
+endmodule
+
+module PSEUDOCODE-FUNCTIONS
+  imports BOOL
+  imports MAP
+
+  imports MAP-UTILS
+  imports PSEUDOCODE-COMMON
+  imports PSEUDOCODE-CONFIGURATION
+  imports PSEUDOCODE-MAP-UTILS
+  imports PSEUDOCODE-SYNTAX
+  imports PSEUDOCODE-TYPE-REFLECTION
+
+  syntax KResult
+
+  syntax KItem ::= "pushContext" | "popContext" | "evaluateReturnValue"
+  syntax KItem ::= stuck(KItem)
+  syntax KItem ::= call(Expression)
+  syntax KItem ::= Expression
+
+  syntax Stack ::= stackEntry(MultisigStateCell, Map)
+
+  context evaluate(_:FunctionTag(
+          {HOLE => evaluateAc(HOLE)}:>ArgumentCSV
+      ))
+
+  rule  <k> evaluate(_:FunctionTag(Args:ArgumentCSV) #as FunctionCall)
+            => (pushContext ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
+        ...</k>
+    requires isKResult(Args)
+  rule  <k> evaluate(_:FunctionTag() #as FunctionCall)
+            => (pushContext ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
+        ...</k>
+
+  rule  <k> pushContext => .K ... </k>
+        <state>
+          S:MultisigStateCell
+          <pseudocode-state>
+            <variables> V:Map => .Map </variables>
+            <stack> (.List => ListItem(stackEntry(S, V))) ... </stack>
+          </pseudocode-state>
+          _:ExternalCallEnvCell
+          _:ProofStateCell
+        </state>
+
+  rule  <k> (evaluate(E:Expression) => E) ~> popContext ... </k>
+    requires isKResult(E)
+
+  rule  <k> E:Expression ~> (popContext => .K) ... </k>
+        <variables> _ => V </variables>
+        <stack> (ListItem(stackEntry(_, V:Map)) => .List) ... </stack>
+    requires isKResult(E)
+
+  rule  <k> (E:Expression ~> evaluateReturnValue) => evaluate(E) ... </k>
+    requires isKResult(E)
+
+  rule  <k> error ~> (popContext => .K) ...</k>
+        <state>
+          (_ => S)
+          <pseudocode-state>
+            <variables> _ => V </variables>
+            <stack> (ListItem(stackEntry(S:MultisigStateCell, V:Map)) => .List) ... </stack>
+          </pseudocode-state>
+          _:ExternalCallEnvCell
+          _:ProofStateCell
+        </state>
+
+  rule <k> error ~> (evaluateReturnValue => .K) ... </k>
+
+  context runInstruction(ok({HOLE:Expression => evaluate(HOLE)}:>Expression);)
+  rule runInstruction(ok(E:Expression);) => E requires isKResult(E)
+
+  rule call(init(Quorum:Usize, Board:ExpressionList)) =>
+      runPseudoCode(
+        require(!isEmptyList(Board));
+        require(Quorum <= listLen(Board));
+        setQuorum(Quorum);
+        for (i, address) in Board {
+            user_id = i + u(1);
+            require(getUserId(address) == u(0));
+            setUserId(address, user_id);
+            setUserAddress(user_id, address);
+            setUserIdToRole(user_id, BoardMember);
+        }
+        setNumUsers(listLen(Board));
+        setNumBoardMembers(listLen(Board));
+        ok(void);
+      )
+
+  rule call(proposeAddBoardMember(Member:Address)) =>
+      runPseudoCode(
+        proposeAction(AddBoardMember(Member));
+      )
+
+  rule call(proposeAddProposer(Member:Address)) =>
+      runPseudoCode(
+        proposeAction(AddProposer(Member));
+      )
+
+  rule call(proposeRemoveUser(Member:Address)) =>
+      runPseudoCode(
+        proposeAction(RemoveUser(Member));
+      )
+
+  rule call(proposeChangeQuorum(Quorum:Usize)) =>
+      runPseudoCode(
+        proposeAction(ChangeQuorum(Quorum));
+      )
+
+  rule call(proposeSendEgld(To:Address, Amount:BigUint)) =>
+      runPseudoCode(
+        proposeAction(SendEgld(To, Amount, bytes("")));
+      )
+
+  rule call(proposeSendEgld(To:Address, Amount:BigUint, Data:BoxedBytes)) =>
+      runPseudoCode(
+        proposeAction(SendEgld(To, Amount, Data));
+      )
+
+  rule call(proposeSCDeploy(
+          Amount:BigUint,
+          Code:BoxedBytes,
+          Upgradeable:Bool,
+          Payable:Bool,
+          Readable:Bool,
+          Args:ExpressionList)) =>
+      runPseudoCode(
+          code_metadata = CodeMetadata::DEFAULT;
+          if (Upgradeable) {
+            code_metadata = code_metadata | CodeMetadata::UPGRADEABLE;
+          }
+          if (Payable) {
+            code_metadata = code_metadata | CodeMetadata::PAYABLE;
+          }
+          if (Readable) {
+            code_metadata = code_metadata | CodeMetadata::READABLE;
+          }
+          proposeActionSCDeploy(Amount, Code, code_metadata, Args);
+      )
+
+  syntax FunctionTag ::= "proposeActionSCDeploy"
+  rule  call(proposeActionSCDeploy(Amount:BigUint, Code:BoxedBytes, CodeMetadata:CodeMetadata, Args:ExpressionList))
+        => runPseudoCode(proposeAction(SCDeploy(Amount, Code, CodeMetadata, Args));)
+
+  rule call(proposeSCCall(To:Address, Amount:BigUint, Function:BoxedBytes, Args:ExpressionList)) =>
+      runPseudoCode(
+        proposeAction(SCCall(To, Amount, Function, Args));
+      )
+
+  rule call(sign(ActionId:Usize)) =>
+      runPseudoCode(
+        require(!isEmptyActionData(ActionId));
+        caller_address = getCaller();
+        caller_id = getUserId(caller_address);
+        caller_role = getUserIdToRole(caller_id);
+        require(canSign(caller_role));
+
+        signer_ids = getActionSignerIds(ActionId);
+        if (!listContains(signer_ids, caller_id)) {
+          signer_ids = pushList(signer_ids, caller_id);
+          setActionSignerIDs(ActionId, signer_ids);
+        }
+
+        ok(void);
+      )
+
+  rule call(unsign(ActionId:Usize)) =>
+      runPseudoCode(
+        require(!isEmptyActionData(ActionId));
+
+        caller_address = getCaller();
+        caller_id = getUserId(caller_address);
+        caller_role = getUserIdToRole(caller_id);
+        require(canSign(caller_role));
+
+        signer_ids = getActionSignerIds(ActionId);
+        signer_pos = listFind(signer_ids, caller_id);
+        if (u(0) <= signer_pos) {
+          signer_ids = listSwapRemove(signer_ids, signer_pos);
+          setActionSignerIDs(ActionId, signer_ids);
+        }
+
+        ok(void);
+      )
+
+  rule call(proposeAction(A:Action))
+      => runPseudoCode(
+            caller = getCaller();
+            caller_id = getUserId(caller);
+            caller_role = getUserIdToRole(caller_id);
+            require(userRoleCanPropose(caller_role));
+            action_id = getActionLastIndex() + u(1);
+            setActionLastIndex(action_id);
+            setActionData(action_id, A);
+            if (userRoleCanSign(caller_role)) {
+              setActionSignerIDs(action_id, [caller_id, .]);  // TODO
+            }
+            ok(action_id);
+        )
+
+  rule call(performActionEndpoint(ActionId:Usize))
+      => runPseudoCode(
+            caller_address = getCaller();
+            caller_id = getUserId(caller_address);
+            caller_role = getUserIdToRole(caller_id);
+            require(userRoleCanPerformAction(caller_role));
+            require(quorumReached(ActionId));
+            performActionFromId(ActionId);
+      )
+
+  rule call(discardAction(ActionId:Usize))
+        => runPseudoCode(
+              caller_address = getCaller();
+              caller_id = getUserId(caller_address);
+              caller_role = getUserIdToRole(caller_id);
+              require(userRoleCanDiscardAction(caller_role));
+              require(getActionValidSignerCount(ActionId) == u(0));
+              clearAction(ActionId);
+              ok(void);
+        )
+
+  rule  call(userRoleCanPropose(None)) => false
+  rule  call(userRoleCanPropose(Proposer)) => true
+  rule  call(userRoleCanPropose(BoardMember)) => true
+
+  rule  call(userRoleCanSign(None)) => false
+  rule  call(userRoleCanSign(Proposer)) => false
+  rule  call(userRoleCanSign(BoardMember)) => true
+
+  rule  call(userRoleCanPerformAction(R:UserRole) => userRoleCanPropose(R))
+
+  rule  call(userRoleCanDiscardAction(R:UserRole) => userRoleCanPropose(R))
+
+  rule  call(isEmptyList([.])) => true
+  rule  call(isEmptyList(_:ExpressionList)) => false [owise]
+
+  rule  call(listLen([.])) => u(0)
+  rule  call(listLen([_:Expression , Es:ExpressionCSV]))
+        => call(listLen([Es])) ~> plusOne
+
+  syntax KItem ::= "plusOne"
+  rule  (I:Usize ~> plusOne) => add(I, u(1))
+
+  rule  <k> call(setQuorum(Quorum:Usize)) => void ... </k>
+        <quorum>_ => Quorum</quorum>
+
+  rule  <k> call(setNumUsers(Users:Usize)) => void ... </k>
+        <num-users>_ => Users</num-users>
+
+  rule  <k> call(setNumBoardMembers(Members:Usize)) => void ... </k>
+        <num-board-members>_ => Members</num-board-members>
+
+  rule  <k> call(setNumProposers(Proposers:Usize)) => void ... </k>
+        <num-proposers>_ => Proposers</num-proposers>
+
+  rule  <k> (.K => nullableMapSet(E, I, M, rUsize)) ~> call(setUserId(E:Expression, I:Usize)) ...</k>
+        <address-to-user-id> M:Map </address-to-user-id>
+  rule  <k> (M:Map ~> call(setUserId(_:Expression, _:Usize))) => void ... </k>
+        <address-to-user-id> _:Map => M </address-to-user-id>
+
+  rule  <k> (.K => mapSet(I, E, M)) ~> call(setUserAddress(I:Usize, E:Expression)) ...</k>
+        <user-id-to-address> M:Map </user-id-to-address>
+  rule  <k> (M:Map ~> call(setUserAddress(_:Usize, _:Expression))) => void ... </k>
+        <user-id-to-address> _:Map => M </user-id-to-address>
+
+  rule  <k> (.K => nullableMapSet(I, R, M, rUserRole)) ~> call(setUserIdToRole(I:Usize, R:UserRole)) ... </k>
+        <user-roles> M:Map </user-roles>
+  rule  <k> (M:Map ~> call(setUserIdToRole(_:Usize, _:UserRole))) => void ... </k>
+        <user-roles> _:Map => M </user-roles>
+
+  rule  <k> call(getCaller()) => A ... </k>
+        <caller-address> A:Address </caller-address>
+
+  rule  <k> call(getQuorum()) => Quorum ... </k>
+        <quorum> Quorum:Usize </quorum>
+
+  rule  <k> call(getUserId(A:Expression))
+            =>  cast(A, rAddress)
+                ~> removeValue
+                ~> nullableMapLookup(A, M, rUsize)
+        ... </k>
+        <address-to-user-id> M:Map </address-to-user-id>
+
+  rule  <k> call(getUserIdToRole(I:Usize)) => nullableMapLookup(I, M, rUserRole) ... </k>
+        <user-roles> M:Map </user-roles>
+
+  rule  <k> call(getActionLastIndex()) => Index ... </k>
+        <action-last-index> Index:Usize </action-last-index>
+
+  rule  <k> call(setActionLastIndex(Index:Usize)) => void ... </k>
+        <action-last-index> _ => Index </action-last-index>
+
+  rule  <k> call(getNumUsers()) => Users ... </k>
+        <num-users> Users:Usize </num-users>
+
+  rule  <k> call(getNumBoardMembers()) => Members ... </k>
+        <num-board-members> Members:Usize </num-board-members>
+
+  rule  <k> call(getNumProposers()) => Proposers ... </k>
+        <num-proposers> Proposers:Usize </num-proposers>
+
+  rule  <k> (.K => nullableMapSet(ActionId, A, M, rAction)) ~> call(setActionData(ActionId:Usize, A:Action)) ... </k>
+        <action-data> M:Map </action-data>
+  rule  <k> (M:Map ~> call(setActionData(_:Usize, _:Action))) => void ... </k>
+        <action-data> _:Map => M </action-data>
+
+  rule  <k> call(getActionData(ActionId:Usize)) => nullableMapLookup(ActionId, M, rAction) ... </k>
+        <action-data> M:Map </action-data>
+
+  rule  <k> (.K => nullableMapSet(ActionId, Signers, M, rExpressionList))
+            ~> call(setActionSignerIDs(ActionId:Usize, Signers:ExpressionList))
+        ...</k>
+        <action-signers> M:Map </action-signers>
+
+  rule  <k> (M:Map ~> call(setActionSignerIDs(_:Usize, _:ExpressionList))) => void ... </k>
+        <action-signers> _:Map => M </action-signers>
+
+  rule  <k> (.K => call(getActionData(ActionId))) ~> call(isEmptyActionData(ActionId:Usize)) ... </k>
+  rule  Action:Action ~> call(isEmptyActionData(_:Usize)) => Action ==K Nothing
+
+  rule  call(canSign(BoardMember)) => true
+  rule  call(canSign(_)) => false  [owise]
+
+  rule  <k> call(getActionSignerIds(ActionId:Usize))
+            => nullableMapLookup(ActionId, M:Map, rExpressionList)
+        ... </k>
+        <action-signers> M:Map </action-signers>
+
+  rule call(listContains(Es:ExpressionList, E:Expression)) => #listContains(Es, E)
+
+  syntax Bool ::= #listContains(ExpressionList, KItem)  [function, functional]
+
+  rule  #listContains([.], _) => false
+  rule  #listContains([E:Expression, _:ExpressionCSV], E) => true
+  rule  #listContains([_:Expression, Es:ExpressionCSV], X:KItem)
+          => #listContains([Es], X)  [owise]
+
+  rule call(listFind(Es:ExpressionList, E:Expression)) => #listFind(Es, E)
+
+  syntax Usize ::= #listFind(ExpressionList, Expression)  [function, functional]
+
+  rule  #listFind([.], _) => u(-1)
+  rule  #listFind([X:Usize, _:ExpressionCSV], X) => u(0)
+  rule  #listFind([_:Usize, Es:ExpressionCSV], X:Usize) => add(#listFind([Es], X), u(1))  [owise]
+
+  /*
+  rule  call(listSwapRemove([_:Expression , L:ExpressionCSV], u(0))) => lastToStart(., L)
+  rule  call(listSwapRemove([E:Expression , L:ExpressionCSV], u(Index:Int)))
+        => call(listSwapRemove([L], u(Index -Int 1))) ~> pushListFreezer(E)
+    requires Index >Int 0
+
+  syntax KItem ::= pushListFreezer(Expression)
+  rule  [L:ExpressionCSV] ~> pushListFreezer(E:Expression) => [E , L]
+
+  syntax KItem ::= lastToStart(ExpressionCSV, ExpressionCSV)
+  syntax KItem ::= reverseExpressionCsv(ExpressionCSV, ExpressionCSV)
+
+  rule lastToStart(., .) => [.]
+  rule lastToStart(L1:ExpressionCSV, (E:Expression , L2:ExpressionCSV))
+        => lastToStart((E , L1), L2)
+  rule lastToStart(L1:ExpressionCSV, (E:Expression, .))
+        => reverseExpressionCsv(L1, .) ~> pushListFreezer(E)
+
+  rule reverseExpressionCsv(., L2:ExpressionCSV) => L2
+  rule reverseExpressionCsv((E:Expression , Es:ExpressionCSV), L2:ExpressionCSV) => reverseExpressionCsv(Es, (E , L2))
+  */
+
+  rule  call(listSwapRemove([L:ExpressionCSV], u(I:Int)))
+        => [#listSwapRemove(L, I)]
+        // TODO: require I >= 0
+
+  syntax ExpressionCSV ::= #listSwapRemove(ExpressionCSV, Int)  [function, functional]
+  rule  #listSwapRemove(_:Expression , Es:ExpressionCSV, 0)
+        => lastToStart(., Es)
+  rule  #listSwapRemove(E:Expression , Es:ExpressionCSV, I:Int)
+        => E , #listSwapRemove(Es, I -Int 1)
+    requires I >Int 0
+  rule  #listSwapRemove(Es:ExpressionCSV, I:Int)
+        => Es
+    requires I <Int 0
+
+  syntax ExpressionCSV ::= lastToStart(ExpressionCSV, ExpressionCSV)  [function, functional]
+  rule lastToStart(., .) => .:ExpressionCSV
+  rule lastToStart(L1:ExpressionCSV, (E:Expression, .))
+        => E , reverseExpressionCsv(L1, .)
+  rule lastToStart(L1:ExpressionCSV, (E:Expression , L2:ExpressionCSV))
+        => lastToStart((E , L1), L2)
+
+  syntax ExpressionCSV ::= reverseExpressionCsv(ExpressionCSV, ExpressionCSV)  [function, functional]
+  rule reverseExpressionCsv(., L2:ExpressionCSV) => L2
+  rule reverseExpressionCsv((E:Expression , Es:ExpressionCSV), L2:ExpressionCSV) => reverseExpressionCsv(Es, (E , L2))
+
+  rule call(performActionFromId(ActionId:Usize))
+        => runPseudoCode(
+              action = getActionData(ActionId);
+              clearAction(ActionId);
+              performAction(action);
+
+        )
+
+  rule call(performAction(Nothing)) => evaluate(void)
+
+  rule call(performAction(AddBoardMember(BoardMemberAddress:Address)))
+        => runPseudoCode(
+              changeUserRole(BoardMemberAddress, BoardMember);
+        )
+
+  rule call(performAction(AddProposer(ProposerAddress:Address)))
+        => runPseudoCode(
+              changeUserRole(ProposerAddress, Proposer);
+              new_board_members = getNumBoardMembers();
+              require(getQuorum() <= new_board_members);
+        )
+
+  rule call(performAction(RemoveUser(UserAddress:Address)))
+        => runPseudoCode(
+              changeUserRole(UserAddress, None);
+              num_board_members = getNumBoardMembers();
+              num_proposers = getNumProposers();
+              require(num_board_members + num_proposers > u(0));
+              require(getQuorum() <= num_board_members);
+        )
+
+  rule call(performAction(ChangeQuorum(NewQuorum)))
+        => runPseudoCode(
+              require(NewQuorum <= getNumBoardMembers());
+              setQuorum(NewQuorum);
+        )
+
+  rule call(performAction(SendEgld(To:Address, Amount:BigUint, Data:BoxedBytes)))
+        => runPseudoCode(
+              sendTx(To, Amount, Data);
+        )
+
+  rule call(performAction(SCDeploy(
+            Amount:BigUint,
+            Code:BoxedBytes,
+            CodeMetadata:CodeMetadata,
+            Arguments:ExpressionList)))
+        => runPseudoCode(
+              gas_left = getGasLeft();
+              new_address = deployContract(gas_left, Amount, Code, CodeMetadata, Arguments);
+              [new_address, .];
+              void;
+        )
+
+  rule call(performAction(SCCall(To:Address, Amount:BigUint, Function:BoxedBytes, [Arguments:ExpressionCSV])))
+        => runPseudoCode(
+              asyncCall(To, Amount, [Function , Arguments]);
+        )
+
+  rule call(clearAction(ActionId:Usize))
+        => runPseudoCode(
+              setActionData(ActionId, Nothing);
+              setActionSignerIDs(ActionId, [.]);
+        )
+
+  rule call(quorumReached(ActionId:Usize))
+        => runPseudoCode(
+              quorum = getQuorum();
+              valid_signers_count = getActionValidSignerCount(ActionId);
+              quorum <= valid_signers_count;
+        )
+
+  rule call(getActionValidSignerCount(ActionId:Usize))
+        => runPseudoCode(
+              signer_ids = getActionSignerIds(ActionId);
+              countCanSign(signer_ids);
+        )
+
+  rule call(countCanSign([.])) => evaluate(u(0))
+  rule call(countCanSign([SignerId:Usize , SignerIds:ExpressionCSV]))
+        => runPseudoCode(
+              result = u(0);
+              user_role = getUserIdToRole(SignerId);
+              if (userRoleCanSign(user_role)) {
+                result = u(1);
+              }
+              result + countCanSign([SignerIds]);
+        )
+  rule (.K => stuck) ~> call(countCanSign([E:Expression , _:ExpressionCSV]))
+    ensures notBool isUsize(E)
+    [owise]
+
+  rule call(changeUserRole(UserAddress:Address, NewRole:UserRole))
+        => runPseudoCode(
+          user_id = getOrCreateUser(UserAddress);
+          old_role = None;
+          if (!(user_id == u(0))) {
+            old_role = getUserIdToRole(user_id);
+          }
+          setUserIdToRole(user_id, NewRole);
+
+          if (old_role == BoardMember) {
+            if (!(NewRole == BoardMember)) {
+              new_board_members = getNumBoardMembers() - u(1);
+              setNumBoardMembers(new_board_members);
+            }
+          } else {
+            if (NewRole == BoardMember) {
+              setNumBoardMembers(getNumBoardMembers() + u(1));
+            }
+          }
+
+          if (old_role == Proposer) {
+            if (!(NewRole == Proposer)) {
+              setNumProposers(getNumProposers() - u(1));
+            }
+          } else {
+            if (NewRole == Proposer) {
+              setNumProposers(getNumProposers() + u(1));
+            }
+          }
+        )
+
+  rule call(getOrCreateUser(Address:Address))
+        => runPseudoCode(
+              user_id = getUserId(Address);
+              if (user_id == u(0)) {
+                num_users = getNumUsers();
+                num_users = num_users + u(1);
+                setNumUsers(num_users);
+                user_id = num_users;
+                setUserId(Address, user_id);
+                setUserAddress(user_id, Address);
+              }
+              user_id;
+        )
+
+  rule call(pushList([Es:ExpressionCSV], E:Expression))
+        => [#pushList(Es, E)]
+
+  syntax ExpressionCSV ::= #pushList(ExpressionCSV, Expression)
+    [function, functional]
+
+  rule #pushList(., E:Expression)
+        => E, .
+  rule #pushList(E:Expression , Es:ExpressionCSV, E2:Expression)
+        => prepend(#pushList(Es, E2), E)
+
+  syntax ExpressionCSV ::= prepend(ExpressionCSV, Expression)
+    [function, functional]
+  rule prepend(Es:ExpressionCSV, E:Expression) => E , Es
+
+  rule call(sendTx(_To:Address, _Amount:BigUint, _Data:BoxedBytes))
+        => evaluate(void)
+
+  rule call(getGasLeft()) => evaluate(u(-1))
+
+  rule call(deployContract(
+            _GasLeft:Usize,
+            _Amount:BigUint,
+            _Code:BoxedBytes,
+            _:CodeMetadata,
+            Arguments:ExpressionList))
+        => evaluate(void)
+    requires isKResult(Arguments)
+
+  rule call(asyncCall(
+            _:Address,
+            _Amount:BigUint,
+            Arguments:ExpressionList))
+        => evaluate(void)
+    requires isKResult(Arguments)
+
+endmodule
+
+module MAYBE
+  syntax Maybe ::= just(KItem) | "nothing"
+  syntax KItem ::= Maybe
+
+  syntax KItem ::= value(KItem)
+  rule isKResult(value(K:KItem) => K)
+
+  syntax KResult ::= Maybe
+
+  syntax KItem ::= orElse(KItem, KItem)  [strict(1)]
+  rule orElse(nothing, K:KItem) => value(K)
+  rule orElse(just(K:KItem), _:KItem) => value(K)
+endmodule
+
+module MAP-UTILS
+  imports BOOL
+  imports K-EQUAL
+  imports MAP
+  imports MAYBE
+  imports PSEUDOCODE-COMMON
+
+  syntax KItem ::= splitMap(key:KItem, toSplit:Map, value:KItem, remainder:Map)
+    [function, functional]
+  syntax KItem ::= "endSplitMap"
+  rule endSplitMap => .K
+
+  rule splitMap(Key:KItem, M:Map, _Value:KItem, _Remainder:Map) => stuck
+    requires notBool Key in_keys(M)
+  rule splitMap(Key:KItem, (Key |-> _:KItem) _:Map, _Value:KItem, _Remainder:Map)
+      => endSplitMap
+    [simplification(30)]
+  rule splitMap(Key:KItem, (K1:KItem |-> _SomeValue:KItem) M:Map, Value:KItem, Remainder:Map)
+      => splitMap(Key, M, Value, Remainder)
+    requires notBool (Key ==K K1) andBool Key in_keys(M)
+    [simplification(30)]
+  rule splitMap(Key:KItem, M:Map, Value:KItem, Remainder:Map)
+      => endSplitMap
+    requires Key in_keys(M)
+    ensures M ==K (Key |-> Value Remainder)
+    [simplification(50)]
+
+  /*
+  syntax Map ::= splitMap(key:KItem, Map, Map)  [function, functional]
+
+  rule  splitMap(K:KItem, (K |-> _:KItem _:Map) #as _:Map, M:Map)
+        => M
+    [simplification]
+  rule  splitMap(K:KItem, (K1 |-> _ M:Map) #as _:Map, N:Map)
+        => splitMap(K, M, N)
+    requires notBool (K ==K K1)
+    [simplification]
+  rule  splitMap(K:KItem, M:Map, N:Map)
+        =>
+            (
+              (#Ceil(M #And (K |-> ?_:KItem ?_:Map)))
+              #And
+              {true #Equals (K in_keys(M))}
+              #And N
+            )
+            #Or (N #And {true #Equals (notBool (K in_keys(M)))})
+
+  rule  splitMap(K:KItem, M:Map, N:Map)
+        =>(
+            (
+              (#Ceil(M #And (K |-> ?_:KItem ?_:Map)))
+              #And
+              {true #Equals (K in_keys(M))}
+            )
+            #Or
+            ({true #Equals (notBool (K in_keys(M)))})
+          )
+          #And N
+
+
+  rule  splitMap(K:KItem, M:Map, N:Map) => N
+        ensures
+          (
+            (
+              (#Ceil(M #And (K |-> ?_:KItem ?_:Map)))
+              #And
+              {true #Equals (K in_keys(M))}
+            )
+            #Or
+            ({true #Equals (notBool (K in_keys(M)))})
+          )
+
+
+
+  */
+
+  // Do the map lookups in a way that makes the Haskell backend happy.
+
+  syntax KItem ::= mapLookup(KItem, Map)
+  rule mapLookup(K:KItem, M:Map)
+      =>  splitMap(K, M, ?_Value:KItem, ?_Remainder:Map)
+          ~> #mapLookup(K, M)
+    requires K in_keys(M)
+  rule mapLookup(K:KItem, M:Map)
+      =>  nothing
+    requires notBool K in_keys(M)
+  /*
+  rule mapLookup(K:KItem, M:Map) => #mapLookup(K, splitMap(K, M, M))
+  */
+
+  syntax KItem ::= #mapLookup(KItem, Map)
+  rule #mapLookup(K:KItem, ((K |-> V:KItem) _:Map) #as M:Map) => just(V)
+    ensures K in_keys(M)
+  rule #mapLookup(K:KItem, M:Map) => nothing
+    ensures notBool (K in_keys(M))
+    [owise]
+
+  syntax KItem ::= mapDelete(key:KItem, Map)
+  rule mapDelete(K:KItem, M:Map) => #mapDelete(K, M)
+    requires K in_keys(M)
+  rule mapDelete(K:KItem, M:Map) => M
+    requires notBool (K in_keys(M))
+
+  syntax KItem ::= #mapDelete(key:KItem, Map)
+  rule #mapDelete(K:KItem, (K |-> _:KItem) M:Map) => M
+  rule #mapDelete(_:KItem, M:Map) => M
+    ensures false
+    [owise]
+
+  syntax KItem ::= mapSet(key:KItem, value:KItem, Map)
+  rule mapSet(K:KItem, V:KItem, M:Map) => #mapSet(K, V, M)
+    requires K in_keys(M)
+  rule mapSet(K:KItem, V:KItem, M:Map) => K |-> V M
+    requires notBool (K in_keys(M))
+
+  syntax KItem ::= #mapSet(key:KItem, value:KItem, Map)
+  rule #mapSet(K:KItem, V:KItem, (K |-> _:KItem) M:Map) => K |-> V M
+  rule #mapSet(_:KItem, _:KItem, M:Map) => M
+    ensures false
+    [owise]
+
+  rule X:KItem in_keys((Y:KItem |-> _:KItem M:Map) #as _:Map)
+        => X ==K Y orBool X in_keys(M)
+    [simplification]
+endmodule
+
+module PSEUDOCODE-MAP-UTILS
+  imports MAP-UTILS
+  imports PSEUDOCODE-TYPE-REFLECTION
+
+  syntax KItem ::= nullableMapLookup(key:KItem, Map, ReflectionType)
+
+  rule nullableMapLookup(K:KItem, M:Map, T:ReflectionType)
+        => cast(orElse(mapLookup(K, M), defaultValue(T)), T)
+
+  syntax KItem ::= nullableMapSet(key:KItem, value:KItem, Map, ReflectionType)
+  rule nullableMapSet(Key:KItem, Value:KItem, M:Map, T:ReflectionType)
+        => mapDelete(Key, M)
+    requires isDefaultValue(Value, T)
+  rule nullableMapSet(Key:KItem, Value:KItem, M:Map, T:ReflectionType)
+        => mapSet(Key, Value, M)
+    requires notBool isDefaultValue(Value, T)
+
+endmodule
+
+module PSEUDOCODE-CONFIGURATION
+  imports MAP
+
+  imports PSEUDOCODE-SYNTAX
+
+  syntax KItem ::= "uninitialized"
+
+  configuration
+    <T>
+      <TT>
+        <k color="green"> runExternalCalls($PGM:ExternalCommands) </k>
+
+        <state>
+          <multisig-state>
+            <users>
+              <num-users>u(0)</num-users>
+              <user-id-to-address>.Map</user-id-to-address>
+              <address-to-user-id>.Map</address-to-user-id>
+            </users>
+            <board-state>
+              <num-board-members>u(0)</num-board-members>
+              <num-proposers>u(0)</num-proposers>
+              <user-roles>.Map</user-roles>
+              <quorum>u(0)</quorum>
+            </board-state>
+            <action-state>
+              <action-last-index>u(0)</action-last-index>
+              <actions>
+                <action-data>.Map</action-data>
+                <action-signers>.Map</action-signers>
+              </actions>
+            </action-state>
+          </multisig-state>
+          <pseudocode-state>
+            <variables>.Map</variables>
+            <stack> .List </stack>
+          </pseudocode-state>
+          <external-call-env>
+            <caller-address>uninitialized</caller-address>
+          </external-call-env>
+
+          <proof-state>
+            <last-instrumented> .K </last-instrumented>
+          </proof-state>
+        </state>
+    </TT>
+  </T>
+
+  syntax StateCell ::= "initialState"   [function]
+  rule initialState =>
+      <state>
+        <multisig-state>
+          <users>
+            <num-users>u(0)</num-users>
+            <user-id-to-address>.Map</user-id-to-address>
+            <address-to-user-id>.Map</address-to-user-id>
+          </users>
+          <board-state>
+            <num-board-members>u(0)</num-board-members>
+            <num-proposers>u(0)</num-proposers>
+            <user-roles>.Map</user-roles>
+            <quorum>u(0)</quorum>
+          </board-state>
+          <action-state>
+            <action-last-index>u(0)</action-last-index>
+            <actions>
+              <action-data>.Map</action-data>
+              <action-signers>.Map</action-signers>
+            </actions>
+          </action-state>
+        </multisig-state>
+        <pseudocode-state>
+          <variables>.Map</variables>
+          <stack> .List </stack>
+        </pseudocode-state>
+        <external-call-env>
+          <caller-address>uninitialized</caller-address>
+        </external-call-env>
+        <proof-state>
+          <last-instrumented> .K </last-instrumented>
+        </proof-state>
+      </state>
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/tests/add-board-member.golden b/multisig/protocol-correctness/tests/add-board-member.golden
new file mode 100644
index 000000000..81d69b6d7
--- /dev/null
+++ b/multisig/protocol-correctness/tests/add-board-member.golden
@@ -0,0 +1,70 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 2 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 8 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 8 ) |-> u ( 2 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 2 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+            u ( 2 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/add-board-member.msig b/multisig/protocol-correctness/tests/add-board-member.msig
new file mode 100644
index 000000000..572df6bdf
--- /dev/null
+++ b/multisig/protocol-correctness/tests/add-board-member.msig
@@ -0,0 +1,4 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddBoardMember(address(8));
+from address(7) run sign(u(1));
+from address(7) run performActionEndpoint(u(1));
diff --git a/multisig/protocol-correctness/tests/add-proposer.golden b/multisig/protocol-correctness/tests/add-proposer.golden
new file mode 100644
index 000000000..114bf5570
--- /dev/null
+++ b/multisig/protocol-correctness/tests/add-proposer.golden
@@ -0,0 +1,73 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 3 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 10 )
+            u ( 3 ) |-> address ( 11 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 10 ) |-> u ( 2 )
+            address ( 11 ) |-> u ( 3 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 2 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+            u ( 2 ) |-> Proposer
+            u ( 3 ) |-> Proposer
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 2 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/add-proposer.msig b/multisig/protocol-correctness/tests/add-proposer.msig
new file mode 100644
index 000000000..c72a3eb7b
--- /dev/null
+++ b/multisig/protocol-correctness/tests/add-proposer.msig
@@ -0,0 +1,7 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddProposer(address(10));
+from address(7) run proposeAddProposer(address(11));
+from address(7) run sign(u(1));
+from address(7) run sign(u(2));
+from address(7) run performActionEndpoint(u(1));
+from address(7) run performActionEndpoint(u(2));
diff --git a/multisig/protocol-correctness/tests/board-member-to-proposer.golden b/multisig/protocol-correctness/tests/board-member-to-proposer.golden
new file mode 100644
index 000000000..2ac877e6c
--- /dev/null
+++ b/multisig/protocol-correctness/tests/board-member-to-proposer.golden
@@ -0,0 +1,70 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 2 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 9 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 9 ) |-> u ( 2 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 1 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+            u ( 2 ) |-> Proposer
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 2 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/board-member-to-proposer.msig b/multisig/protocol-correctness/tests/board-member-to-proposer.msig
new file mode 100644
index 000000000..2de582f7d
--- /dev/null
+++ b/multisig/protocol-correctness/tests/board-member-to-proposer.msig
@@ -0,0 +1,7 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddBoardMember(address(9));
+from address(7) run proposeAddProposer(address(9));
+from address(7) run sign(u(1));
+from address(7) run sign(u(2));
+from address(7) run performActionEndpoint(u(1));
+from address(7) run performActionEndpoint(u(2));
diff --git a/multisig/protocol-correctness/tests/change-quorum.golden b/multisig/protocol-correctness/tests/change-quorum.golden
new file mode 100644
index 000000000..3276d260a
--- /dev/null
+++ b/multisig/protocol-correctness/tests/change-quorum.golden
@@ -0,0 +1,70 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 2 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 8 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 8 ) |-> u ( 2 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 2 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+            u ( 2 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 2 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 2 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/change-quorum.msig b/multisig/protocol-correctness/tests/change-quorum.msig
new file mode 100644
index 000000000..31e9df8ad
--- /dev/null
+++ b/multisig/protocol-correctness/tests/change-quorum.msig
@@ -0,0 +1,7 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddBoardMember(address(8));
+from address(7) run proposeChangeQuorum(u(2));
+from address(7) run sign(u(1));
+from address(7) run sign(u(2));
+from address(7) run performActionEndpoint(u(1));
+from address(7) run performActionEndpoint(u(2));
diff --git a/multisig/protocol-correctness/tests/discard-action.golden b/multisig/protocol-correctness/tests/discard-action.golden
new file mode 100644
index 000000000..4a80766a2
--- /dev/null
+++ b/multisig/protocol-correctness/tests/discard-action.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/discard-action.msig b/multisig/protocol-correctness/tests/discard-action.msig
new file mode 100644
index 000000000..0b74c1b42
--- /dev/null
+++ b/multisig/protocol-correctness/tests/discard-action.msig
@@ -0,0 +1,4 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddProposer(address(9));
+from address(7) run unsign(u(1));
+from address(7) run discardAction(u(1));
diff --git a/multisig/protocol-correctness/tests/perform-discarded.golden b/multisig/protocol-correctness/tests/perform-discarded.golden
new file mode 100644
index 000000000..4a80766a2
--- /dev/null
+++ b/multisig/protocol-correctness/tests/perform-discarded.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/perform-discarded.msig b/multisig/protocol-correctness/tests/perform-discarded.msig
new file mode 100644
index 000000000..cad8978ab
--- /dev/null
+++ b/multisig/protocol-correctness/tests/perform-discarded.msig
@@ -0,0 +1,6 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddProposer(address(9));
+from address(7) run unsign(u(1));
+from address(7) run discardAction(u(1));
+from address(7) run sign(u(1));
+from address(7) run performActionEndpoint(u(1));
diff --git a/multisig/protocol-correctness/tests/remove-user.golden b/multisig/protocol-correctness/tests/remove-user.golden
new file mode 100644
index 000000000..766202f68
--- /dev/null
+++ b/multisig/protocol-correctness/tests/remove-user.golden
@@ -0,0 +1,69 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 2 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 8 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 8 ) |-> u ( 2 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 2 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/remove-user.msig b/multisig/protocol-correctness/tests/remove-user.msig
new file mode 100644
index 000000000..2f490caf7
--- /dev/null
+++ b/multisig/protocol-correctness/tests/remove-user.msig
@@ -0,0 +1,7 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddBoardMember(address(8));
+from address(7) run proposeRemoveUser(address(8));
+from address(7) run sign(u(1));
+from address(7) run sign(u(2));
+from address(7) run performActionEndpoint(u(1));
+from address(7) run performActionEndpoint(u(2));
diff --git a/multisig/protocol-correctness/tests/sc-call.golden b/multisig/protocol-correctness/tests/sc-call.golden
new file mode 100644
index 000000000..4a80766a2
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sc-call.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/sc-call.msig b/multisig/protocol-correctness/tests/sc-call.msig
new file mode 100644
index 000000000..20fce3aff
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sc-call.msig
@@ -0,0 +1,4 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeSCCall(address(123), big(10), bytes("function"), [.]);
+from address(7) run sign(u(1));
+from address(7) run performActionEndpoint(u(1));
diff --git a/multisig/protocol-correctness/tests/sc-deploy.golden b/multisig/protocol-correctness/tests/sc-deploy.golden
new file mode 100644
index 000000000..4a80766a2
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sc-deploy.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/sc-deploy.msig b/multisig/protocol-correctness/tests/sc-deploy.msig
new file mode 100644
index 000000000..7abf7dedf
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sc-deploy.msig
@@ -0,0 +1,4 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeSCDeploy(big(10), bytes("code"), false, false, false, [.]);
+from address(7) run sign(u(1));
+from address(7) run performActionEndpoint(u(1));
diff --git a/multisig/protocol-correctness/tests/send-egld.golden b/multisig/protocol-correctness/tests/send-egld.golden
new file mode 100644
index 000000000..4a80766a2
--- /dev/null
+++ b/multisig/protocol-correctness/tests/send-egld.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/send-egld.msig b/multisig/protocol-correctness/tests/send-egld.msig
new file mode 100644
index 000000000..97931c55f
--- /dev/null
+++ b/multisig/protocol-correctness/tests/send-egld.msig
@@ -0,0 +1,4 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeSendEgld(address(123), big(10), bytes("stuff"));
+from address(7) run sign(u(1));
+from address(7) run performActionEndpoint(u(1));
diff --git a/multisig/protocol-correctness/tests/sign.golden b/multisig/protocol-correctness/tests/sign.golden
new file mode 100644
index 000000000..1fedaeeeb
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sign.golden
@@ -0,0 +1,73 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 3 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+            u ( 2 ) |-> address ( 8 )
+            u ( 3 ) |-> address ( 10 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+            address ( 8 ) |-> u ( 2 )
+            address ( 10 ) |-> u ( 3 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 2 )
+          </num-board-members>
+          <num-proposers>
+            u ( 1 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+            u ( 2 ) |-> BoardMember
+            u ( 3 ) |-> Proposer
+          </user-roles>
+          <quorum>
+            u ( 2 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 3 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              .Map
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/sign.msig b/multisig/protocol-correctness/tests/sign.msig
new file mode 100644
index 000000000..235f0c827
--- /dev/null
+++ b/multisig/protocol-correctness/tests/sign.msig
@@ -0,0 +1,8 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddBoardMember(address(8));
+from address(7) run proposeChangeQuorum(u(2));
+from address(7) run proposeAddProposer(address(10));
+from address(7) run performActionEndpoint(u(1));
+from address(7) run performActionEndpoint(u(2));
+from address(8) run sign(u(3));
+from address(7) run performActionEndpoint(u(3));
diff --git a/multisig/protocol-correctness/tests/unsign-all.golden b/multisig/protocol-correctness/tests/unsign-all.golden
new file mode 100644
index 000000000..b8c8624d5
--- /dev/null
+++ b/multisig/protocol-correctness/tests/unsign-all.golden
@@ -0,0 +1,67 @@
+<T>
+  <TT>
+    <k>
+      .
+    </k>
+    <state>
+      <multisig-state>
+        <users>
+          <num-users>
+            u ( 1 )
+          </num-users>
+          <user-id-to-address>
+            u ( 1 ) |-> address ( 7 )
+          </user-id-to-address>
+          <address-to-user-id>
+            address ( 7 ) |-> u ( 1 )
+          </address-to-user-id>
+        </users>
+        <board-state>
+          <num-board-members>
+            u ( 1 )
+          </num-board-members>
+          <num-proposers>
+            u ( 0 )
+          </num-proposers>
+          <user-roles>
+            u ( 1 ) |-> BoardMember
+          </user-roles>
+          <quorum>
+            u ( 1 )
+          </quorum>
+        </board-state>
+        <action-state>
+          <action-last-index>
+            u ( 1 )
+          </action-last-index>
+          <actions>
+            <action-data>
+              u ( 1 ) |-> AddProposer ( address ( 9 ) )
+            </action-data>
+            <action-signers>
+              .Map
+            </action-signers>
+          </actions>
+        </action-state>
+      </multisig-state>
+      <pseudocode-state>
+        <variables>
+          .Map
+        </variables>
+        <stack>
+          .List
+        </stack>
+      </pseudocode-state>
+      <external-call-env>
+        <caller-address>
+          uninitialized
+        </caller-address>
+      </external-call-env>
+      <proof-state>
+        <last-instrumented>
+          .
+        </last-instrumented>
+      </proof-state>
+    </state>
+  </TT>
+</T>
diff --git a/multisig/protocol-correctness/tests/unsign-all.msig b/multisig/protocol-correctness/tests/unsign-all.msig
new file mode 100644
index 000000000..a1c42196c
--- /dev/null
+++ b/multisig/protocol-correctness/tests/unsign-all.msig
@@ -0,0 +1,3 @@
+from address(7) run init(u(1), [address(7), .]);
+from address(7) run proposeAddProposer(address(9));
+from address(7) run unsign(u(1));

From 8542fbe15464ab4ea17fe6284872397956aacefd Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 20:55:54 +0300
Subject: [PATCH 02/37] tmp

---
 .../proof-configuration.k                     | 26 -------------------
 multisig/protocol-correctness/pseudocode.k    | 17 +++---------
 .../tests/add-board-member.golden             |  5 ----
 .../tests/add-proposer.golden                 |  5 ----
 .../tests/board-member-to-proposer.golden     |  5 ----
 .../tests/change-quorum.golden                |  5 ----
 .../tests/discard-action.golden               |  5 ----
 .../tests/perform-discarded.golden            |  5 ----
 .../tests/remove-user.golden                  |  5 ----
 .../protocol-correctness/tests/sc-call.golden |  5 ----
 .../tests/sc-deploy.golden                    |  5 ----
 .../tests/send-egld.golden                    |  5 ----
 .../protocol-correctness/tests/sign.golden    |  5 ----
 .../tests/unsign-all.golden                   |  5 ----
 14 files changed, 4 insertions(+), 99 deletions(-)
 delete mode 100644 multisig/protocol-correctness/proof-configuration.k

diff --git a/multisig/protocol-correctness/proof-configuration.k b/multisig/protocol-correctness/proof-configuration.k
deleted file mode 100644
index a0242a2b5..000000000
--- a/multisig/protocol-correctness/proof-configuration.k
+++ /dev/null
@@ -1,26 +0,0 @@
-module PROOF-CONFIGURATION
-  imports CONFIGURATION
-
-  syntax ActionLogEntry ::= logPropose(usize) | logPerform(usize) | logDiscard(usize)
-  syntax ActionLog ::= actionLog(List)  // list of ActionLogEntry
-
-  syntax VoteLogEntry ::= logSign(usize) | logUnsign(usize)
-  syntax VoteLog ::= actionLog(List)  // list of ActionLogEntry
-
-  syntax UserLogEntry ::= logAddBoardMember(Address?)
-                      |   logAddProposer(Address?)
-                      |   logRemoveUser(Address?)
-  syntax UserLog ::= List(UserLogEntry)
-
-  syntax ProofState ::= proofState(ActionLog, VoteLog, UserLog)
-
-  syntax KItem ::= log(Command)
-
-  rule start(Command) => run(Command) ~> log(Command)  [priority(??25)]
-  rule error ~> log(Command) => .K  [priority(25)]
-
-  configuration <T>
-    <proof-state> proofState(actionLog(.List), voteLog(.List), ...) </proof-state>
-  </T>
-
-endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index 61d856214..5d964e03b 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -492,7 +492,7 @@ module PSEUDOCODE-FUNCTIONS
 
   syntax KResult
 
-  syntax KItem ::= "pushContext" | "popContext" | "evaluateReturnValue"
+  syntax KItem ::= "pushContext" | "popContext" | "evaluateReturnValue" | "preCall"
   syntax KItem ::= stuck(KItem)
   syntax KItem ::= call(Expression)
   syntax KItem ::= Expression
@@ -504,11 +504,11 @@ module PSEUDOCODE-FUNCTIONS
       ))
 
   rule  <k> evaluate(_:FunctionTag(Args:ArgumentCSV) #as FunctionCall)
-            => (pushContext ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
+            => (pushContext ~> preCall ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
         ...</k>
     requires isKResult(Args)
   rule  <k> evaluate(_:FunctionTag() #as FunctionCall)
-            => (pushContext ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
+            => (pushContext ~> preCall ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
         ...</k>
 
   rule  <k> pushContext => .K ... </k>
@@ -519,7 +519,6 @@ module PSEUDOCODE-FUNCTIONS
             <stack> (.List => ListItem(stackEntry(S, V))) ... </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
-          _:ProofStateCell
         </state>
 
   rule  <k> (evaluate(E:Expression) => E) ~> popContext ... </k>
@@ -541,7 +540,6 @@ module PSEUDOCODE-FUNCTIONS
             <stack> (ListItem(stackEntry(S:MultisigStateCell, V:Map)) => .List) ... </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
-          _:ProofStateCell
         </state>
 
   rule <k> error ~> (evaluateReturnValue => .K) ... </k>
@@ -1243,10 +1241,6 @@ module PSEUDOCODE-CONFIGURATION
           <external-call-env>
             <caller-address>uninitialized</caller-address>
           </external-call-env>
-
-          <proof-state>
-            <last-instrumented> .K </last-instrumented>
-          </proof-state>
         </state>
     </TT>
   </T>
@@ -1281,8 +1275,5 @@ module PSEUDOCODE-CONFIGURATION
         <external-call-env>
           <caller-address>uninitialized</caller-address>
         </external-call-env>
-        <proof-state>
-          <last-instrumented> .K </last-instrumented>
-        </proof-state>
       </state>
-endmodule
\ No newline at end of file
+endmodule
diff --git a/multisig/protocol-correctness/tests/add-board-member.golden b/multisig/protocol-correctness/tests/add-board-member.golden
index 81d69b6d7..8bfb91876 100644
--- a/multisig/protocol-correctness/tests/add-board-member.golden
+++ b/multisig/protocol-correctness/tests/add-board-member.golden
@@ -60,11 +60,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/add-proposer.golden b/multisig/protocol-correctness/tests/add-proposer.golden
index 114bf5570..b97a15e19 100644
--- a/multisig/protocol-correctness/tests/add-proposer.golden
+++ b/multisig/protocol-correctness/tests/add-proposer.golden
@@ -63,11 +63,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/board-member-to-proposer.golden b/multisig/protocol-correctness/tests/board-member-to-proposer.golden
index 2ac877e6c..8951c0fa6 100644
--- a/multisig/protocol-correctness/tests/board-member-to-proposer.golden
+++ b/multisig/protocol-correctness/tests/board-member-to-proposer.golden
@@ -60,11 +60,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/change-quorum.golden b/multisig/protocol-correctness/tests/change-quorum.golden
index 3276d260a..d7868bfca 100644
--- a/multisig/protocol-correctness/tests/change-quorum.golden
+++ b/multisig/protocol-correctness/tests/change-quorum.golden
@@ -60,11 +60,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/discard-action.golden b/multisig/protocol-correctness/tests/discard-action.golden
index 4a80766a2..104b03b9f 100644
--- a/multisig/protocol-correctness/tests/discard-action.golden
+++ b/multisig/protocol-correctness/tests/discard-action.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/perform-discarded.golden b/multisig/protocol-correctness/tests/perform-discarded.golden
index 4a80766a2..104b03b9f 100644
--- a/multisig/protocol-correctness/tests/perform-discarded.golden
+++ b/multisig/protocol-correctness/tests/perform-discarded.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/remove-user.golden b/multisig/protocol-correctness/tests/remove-user.golden
index 766202f68..0158e195e 100644
--- a/multisig/protocol-correctness/tests/remove-user.golden
+++ b/multisig/protocol-correctness/tests/remove-user.golden
@@ -59,11 +59,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/sc-call.golden b/multisig/protocol-correctness/tests/sc-call.golden
index 4a80766a2..104b03b9f 100644
--- a/multisig/protocol-correctness/tests/sc-call.golden
+++ b/multisig/protocol-correctness/tests/sc-call.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/sc-deploy.golden b/multisig/protocol-correctness/tests/sc-deploy.golden
index 4a80766a2..104b03b9f 100644
--- a/multisig/protocol-correctness/tests/sc-deploy.golden
+++ b/multisig/protocol-correctness/tests/sc-deploy.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/send-egld.golden b/multisig/protocol-correctness/tests/send-egld.golden
index 4a80766a2..104b03b9f 100644
--- a/multisig/protocol-correctness/tests/send-egld.golden
+++ b/multisig/protocol-correctness/tests/send-egld.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/sign.golden b/multisig/protocol-correctness/tests/sign.golden
index 1fedaeeeb..57956a852 100644
--- a/multisig/protocol-correctness/tests/sign.golden
+++ b/multisig/protocol-correctness/tests/sign.golden
@@ -63,11 +63,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>
diff --git a/multisig/protocol-correctness/tests/unsign-all.golden b/multisig/protocol-correctness/tests/unsign-all.golden
index b8c8624d5..183df9040 100644
--- a/multisig/protocol-correctness/tests/unsign-all.golden
+++ b/multisig/protocol-correctness/tests/unsign-all.golden
@@ -57,11 +57,6 @@
           uninitialized
         </caller-address>
       </external-call-env>
-      <proof-state>
-        <last-instrumented>
-          .
-        </last-instrumented>
-      </proof-state>
     </state>
   </TT>
 </T>

From 623af47ffd6e6f21538bfe5c171f2d83b56b334d Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Sun, 17 Jan 2021 19:15:17 +0200
Subject: [PATCH 03/37] Invariant

---
 multisig/protocol-correctness/.gitignore      |   3 +-
 .../protocol-correctness/proof/.gitignore     |   7 +
 multisig/protocol-correctness/proof/Makefile  |  20 +
 .../proof/compute-duration.py                 |  26 +
 .../proof/execution-proof.k                   | 479 ++++++++++++++++++
 .../protocol-correctness/proof/invariant.k    | 376 ++++++++++++++
 .../proof/invariant/Makefile                  |  36 ++
 .../proof/invariant/count-can-sign-parts.k    | 168 ++++++
 .../proof/invariant/init-loop-parts.k         | 232 +++++++++
 .../proof/invariant/invariant-execution.k     | 259 ++++++++++
 .../proof/invariant/invariant.mak             |  41 ++
 .../proof/invariant/perform-parts.k           | 239 +++++++++
 .../proof/invariant/proof-count-can-sign.k    | 112 ++++
 .../proof/invariant/proof-discard-action.k    |  66 +++
 .../proof/invariant/proof-init-loop.k         | 188 +++++++
 .../proof/invariant/proof-init.k              |  70 +++
 .../proof/invariant/proof-listlen.k           |  16 +
 .../invariant/proof-perform-action-endpoint.k | 175 +++++++
 .../proof/invariant/proof-perform-action.k    | 155 ++++++
 .../proof-perform-add-board-member.k          | 110 ++++
 .../invariant/proof-perform-add-proposer-1.k  | 108 ++++
 .../invariant/proof-perform-add-proposer-2.k  | 102 ++++
 .../invariant/proof-perform-add-proposer-3.k  | 124 +++++
 .../invariant/proof-perform-add-proposer-4.k  | 118 +++++
 .../invariant/proof-perform-add-proposer-5.k  | 124 +++++
 .../invariant/proof-perform-add-proposer-6.k  | 118 +++++
 .../invariant/proof-perform-add-proposer-7.k  | 123 +++++
 .../invariant/proof-perform-add-proposer-8.k  | 118 +++++
 .../invariant/proof-perform-add-proposer-9.k  | 112 ++++
 .../invariant/proof-perform-change-quorum.k   | 217 ++++++++
 .../proof/invariant/proof-perform-nothing.k   | 110 ++++
 .../invariant/proof-perform-remove-user-1.k   | 126 +++++
 .../invariant/proof-perform-remove-user-10.k  | 112 ++++
 .../invariant/proof-perform-remove-user-2.k   | 122 +++++
 .../invariant/proof-perform-remove-user-3.k   | 114 +++++
 .../invariant/proof-perform-remove-user-4.k   | 110 ++++
 .../invariant/proof-perform-remove-user-5.k   | 128 +++++
 .../invariant/proof-perform-remove-user-6.k   | 124 +++++
 .../invariant/proof-perform-remove-user-7.k   | 112 ++++
 .../invariant/proof-perform-remove-user-8.k   | 110 ++++
 .../invariant/proof-perform-remove-user-9.k   | 116 +++++
 .../proof/invariant/proof-perform-s-c-call.k  | 102 ++++
 .../invariant/proof-perform-s-c-deploy.k      | 102 ++++
 .../proof/invariant/proof-perform-send-egld.k |  94 ++++
 .../proof-propose-add-board-member.k          |  63 +++
 .../invariant/proof-propose-add-proposer.k    |  63 +++
 .../invariant/proof-propose-change-quorum.k   |  63 +++
 .../invariant/proof-propose-remove-user.k     |  63 +++
 .../proof/invariant/proof-propose-sc-call.k   |  68 +++
 .../proof/invariant/proof-propose-sc-deploy.k |  70 +++
 .../proof/invariant/proof-propose-send-egld.k |  63 +++
 .../proof/invariant/proof-sign.k              |  63 +++
 .../proof/invariant/proof-unsign.k            |  63 +++
 .../proof/proof-dependency.mak                |   7 +
 .../protocol-correctness/proof/settings.mak   |   5 +
 55 files changed, 6214 insertions(+), 1 deletion(-)
 create mode 100644 multisig/protocol-correctness/proof/.gitignore
 create mode 100644 multisig/protocol-correctness/proof/Makefile
 create mode 100755 multisig/protocol-correctness/proof/compute-duration.py
 create mode 100644 multisig/protocol-correctness/proof/execution-proof.k
 create mode 100644 multisig/protocol-correctness/proof/invariant.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/Makefile
 create mode 100644 multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/init-loop-parts.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/invariant-execution.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/invariant.mak
 create mode 100644 multisig/protocol-correctness/proof/invariant/perform-parts.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-discard-action.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-init-loop.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-init.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-listlen.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-action.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-sign.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-unsign.k
 create mode 100644 multisig/protocol-correctness/proof/proof-dependency.mak
 create mode 100644 multisig/protocol-correctness/proof/settings.mak

diff --git a/multisig/protocol-correctness/.gitignore b/multisig/protocol-correctness/.gitignore
index e29a5c64e..7fbb9620a 100644
--- a/multisig/protocol-correctness/.gitignore
+++ b/multisig/protocol-correctness/.gitignore
@@ -1,4 +1,5 @@
 *.timestamp
 *-kompiled
 *.cmp
-.krun-*
\ No newline at end of file
+.krun-*
+kore-*.tar.gz
diff --git a/multisig/protocol-correctness/proof/.gitignore b/multisig/protocol-correctness/proof/.gitignore
new file mode 100644
index 000000000..841e28283
--- /dev/null
+++ b/multisig/protocol-correctness/proof/.gitignore
@@ -0,0 +1,7 @@
+.kprove-*
+kore-repl*
+*.log
+*.svg
+*.json
+*.eventlog
+out
diff --git a/multisig/protocol-correctness/proof/Makefile b/multisig/protocol-correctness/proof/Makefile
new file mode 100644
index 000000000..2eede6065
--- /dev/null
+++ b/multisig/protocol-correctness/proof/Makefile
@@ -0,0 +1,20 @@
+include settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR=.
+
+PROOF_DIR := .
+include proof-dependency.mak
+
+INVARIANT_DIR := invariant
+include invariant/invariant.mak
+
+.PHONY: all invariant clean
+
+all: invariant
+
+invariant: $(INVARIANT_OUT_PREFIX)proof.timestamp
+
+clean: invariant.clean
diff --git a/multisig/protocol-correctness/proof/compute-duration.py b/multisig/protocol-correctness/proof/compute-duration.py
new file mode 100755
index 000000000..960120459
--- /dev/null
+++ b/multisig/protocol-correctness/proof/compute-duration.py
@@ -0,0 +1,26 @@
+#!/usr/bin/env python3
+import sys
+
+def main(argv):
+  with open(argv[0], 'rt') as f:
+    contents = f.read()
+  lines = contents.strip('\r\n').split('\n')
+  assert len(lines) == 2, lines
+  start = float(lines[0])
+  end = float(lines[1])
+  seconds = end - start
+  minutes = seconds / 60
+  hours = minutes / 60
+  minutes = minutes % 60
+  seconds = seconds % 60
+  if hours > 0:
+    message = '%dh %dm %ds' % (hours, minutes, seconds)
+  elif minutes > 0:
+    message = '%dm %ds' % (minutes, seconds)
+  else:
+    message = '%ds' % seconds
+  print(message)
+
+
+if __name__ == '__main__':
+  main(sys.argv[1:])
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
new file mode 100644
index 000000000..3f8287581
--- /dev/null
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -0,0 +1,479 @@
+require "../pseudocode.k"
+require "invariant.k"
+require "map/map-execute.k"
+
+module EXECUTION-PROOF-SYNTAX
+  imports PSEUDOCODE-SYNTAX
+endmodule
+
+module EXECUTION-PROOF-HELPERS
+  imports MAP-SYMBOLIC
+  imports SET
+
+  imports PSEUDOCODE
+  imports MAP-EXECUTE
+
+  // Expand and PropertyHandling form a stupid trick used to control symbolic
+  // function application.
+  // Any function that receives them as an argument should not depend on them,
+  // i.e it should have the same value for all possible PropertyHandling values.
+  syntax Expand ::= "expanded" | expand(Expand)
+  syntax PropertyHandling ::= "usesExpanded" | Expand
+  // TODO: Delete above or below.
+  syntax Int ::= expand(Int)  [function, functional, no-evaluators]
+  syntax Int ::= "usesExpanded"  [function, functional, no-evaluators]
+
+  syntax Int ::= pListLen(ExpressionList)  [function, functional, smtlib(pListLen)]
+  rule pListLen([.]) => 0
+  rule pListLen([_:Expression, Es:ExpressionCSV]) => 1 +Int pListLen([Es])
+
+  rule pListLen(_) >=Int 0 => true  [simplification, smt-lemma]
+
+  // Override the default behaviour.
+  rule isDefaultValue(E:ExpressionList, rExpressionList)
+      => notBool (pListLen(E) >Int 0)
+  rule pListLen([#pushList(_, _)]) >Int 0 => true
+      [simplification]
+
+  syntax Bool ::= noCommonItem(Usize, Map, ExpressionList)  [function, functional]
+  rule noCommonItem(_:Usize, _:Map, [.]) => true
+  rule noCommonItem(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV])
+      =>  notBool (E in_keys(M))
+          andBool noCommonItem(add(U, u(1)), (E |-> U) M, [Es])
+
+  syntax Bool ::= noReusedIndexAddress(Usize, Map, ExpressionList)  [function, functional]
+  rule noReusedIndexAddress(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+  rule noReusedIndexAddress(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV] #as L)
+      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
+          andBool noReusedIndexAddress(add(U, u(1)), (U |-> E) M, [Es])
+
+  syntax Bool ::= noReusedIndexRole(Usize, Map, ExpressionList)  [function, functional]
+  rule noReusedIndexRole(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+  rule noReusedIndexRole(U:Usize, M:Map, [_:Expression , Es:ExpressionCSV] #as L)
+      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
+          andBool noReusedIndexRole(add(U, u(1)), (U |-> BoardMember) M, [Es])
+
+  syntax Bool ::= "forall-v-greater-or-equal-than-u-v-not-in-m" "(" Usize "," Map "," ExpressionList ")"   [function, functional]
+  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+      =>  notBool U in_keys(M)
+  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [_:Expression , Es:ExpressionCSV])
+      =>  notBool U in_keys(M)
+          andBool forall-v-greater-or-equal-than-u-v-not-in-m(add(U, u(1)), M, [Es])
+
+  syntax Usize ::= usizeWithDefault(KItem, Usize)  [function, functional]
+  rule usizeWithDefault(uninitialized, Default:Usize) => Default
+  rule usizeWithDefault(V:Usize, _:Usize) => V
+
+  syntax Int ::= usizeToInt(Usize)  [function, functional]
+  rule usizeToInt(u(V:Int)) => V
+
+  syntax Bool ::= listElementsAreAddresses(ExpressionList)  [function, functional]
+  rule listElementsAreAddresses([.]) => true
+  rule listElementsAreAddresses([E:Expression , Es:ExpressionCSV])
+      => isAddress(E) andBool listElementsAreAddresses([Es])
+
+  syntax Bool ::= listElementsAreUsize(KItem)  [function, functional]
+  rule listElementsAreUsize([.]) => true
+  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
+      => isUsize(E) andBool listElementsAreUsize([Es])
+  rule listElementsAreUsize(_:KItem) => false
+    [owise]
+  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
+      => isUsize(E) andBool listElementsAreUsize([Es])
+    [simplification]
+
+  syntax Bool ::= valuesAreExpressionListOfUsize(Map)  [function, functional]
+  rule valuesAreExpressionListOfUsize(.Map) => true
+  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
+      =>  isExpressionList(V)
+          andBool listElementsAreUsize(V)
+          andBool valuesAreExpressionListOfUsize(M)
+  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
+      =>  isExpressionList(V)
+          andBool listElementsAreUsize(V)
+          andBool valuesAreExpressionListOfUsize(M)
+    [simplification]
+
+  syntax Bool ::= valuesAreKResult(Map)  [function, functional]
+  rule valuesAreKResult(.Map) => true
+  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
+      => isKResult(V) andBool valuesAreKResult(M)
+  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
+      => isKResult(V) andBool valuesAreKResult(M)
+    [simplification]
+
+  syntax Bool ::= valuesAreOfType(Map, ReflectionType)  [function, functional]
+  rule valuesAreOfType(.Map, _:ReflectionType) => true
+  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(V, T) andBool valuesAreOfType(M, T)
+  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(V, T) andBool valuesAreOfType(M, T)
+    [simplification]
+
+  syntax Bool ::= keysAreKResult(Map)  [function, functional]
+  rule keysAreKResult(.Map) => true
+  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
+      => isKResult(K) andBool keysAreKResult(M)
+  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
+      => isKResult(K) andBool keysAreKResult(M)
+    [simplification]
+
+  syntax Bool ::= keysAreOfType(Map, ReflectionType)  [function, functional]
+  rule keysAreOfType(.Map, _:ReflectionType) => true
+  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(K, T) andBool keysAreOfType(M, T)
+  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(K, T) andBool keysAreOfType(M, T)
+    [simplification]
+
+  syntax Bool ::= valueIsNotEmpty(KItem, ReflectionType)  [function, functional]
+  rule valueIsNotEmpty(V:KItem, T:ReflectionType)
+      => notBool (V ==K defaultValue(T))
+
+  syntax Bool ::= valuesAreNotEmpty(Map, ReflectionType)  [function, functional]
+  rule valuesAreNotEmpty(.Map, _:ReflectionType) => true
+  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
+  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
+    [simplification]
+
+  syntax Bool ::= valuesAreDistinct(Map)  [function, functional]
+  rule valuesAreDistinct(.Map) => true
+  rule valuesAreDistinct((_:KItem |-> V:KItem M:Map) #as _:Map)
+      => valuesAreDistinct(M) andBool valueNotInMapValues(V, M)
+    [simplification]
+
+  syntax Bool ::= valueNotInMapValues(KItem, Map)  [function, functional]
+  rule valueNotInMapValues(_:KItem, .Map) => true
+  rule valueNotInMapValues(V1:KItem, (_:KItem |-> V2:KItem M:Map) #as _:Map)
+      => (notBool (V1 ==K V2)) andBool valueNotInMapValues(V1, M)
+    [simplification]
+  rule valueNotInMapValues(u(X:Int +Int 4), M:Map) => true
+    requires #noReusedIndexValue(X +Int 3, M, expanded)
+    [simplification]
+
+  syntax Bool ::= noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
+  syntax Bool ::= #noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
+
+  rule noReusedIndexValue(_Index:Int, .Map, _:PropertyHandling) => true
+
+  rule noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
+      => Index >Int usizeToInt(V) andBool noReusedIndexValue(Index, M, Expand)
+    [simplification(20)]
+  rule noReusedIndexValue(Index:Int, M:Map, Handling:PropertyHandling)
+      => true
+        andBool valueNotInMapValues(u(Index), M)
+        andBool #noReusedIndexValue(Index, M, Handling)
+    [simplification(50)]
+
+  rule #noReusedIndexValue(_Index:Int, .Map, expanded) => true
+  rule #noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
+      => Index >Int usizeToInt(V) andBool #noReusedIndexValue(Index, M, Expand)
+    [simplification(20)]
+  rule #noReusedIndexValue(Index:Int, M:Map, expand(Expand:Expand))
+      =>  noReusedIndexValue(Index +Int 1, M, Expand)
+    [simplification(50)]
+
+  rule #noReusedIndexValue(X:Int, M:Map, usesExpanded)
+      => true
+    requires false
+      orBool #noReusedIndexValue(X, M, expanded)
+      orBool (true
+          andBool valueNotInMapValues(u(X), M)
+          andBool #noReusedIndexValue(X +Int 1, M, expanded)
+      )
+      orBool (true
+          andBool valueNotInMapValues(u(X), M)
+          andBool valueNotInMapValues(u(X +Int 1), M)
+          andBool #noReusedIndexValue(X +Int 2, M, expanded)
+      )
+    [simplification]
+
+  rule #noReusedIndexValue(X:Int +Int 4, M:Map, expanded)
+      => true
+    requires #noReusedIndexValue(X +Int 3, M, expanded)
+    [simplification]
+  rule #noReusedIndexValue(X:Int +Int 2, M:Map, expanded)
+      => true
+    requires true
+      andBool #noReusedIndexValue(X +Int 3, M, expanded)
+      andBool valueNotInMapValues(u(X +Int 2), M)
+    [simplification]
+
+  syntax Bool ::= allValuesBecomeKeys(Map, Map)  [function, functional]
+  syntax Bool ::= #allValuesBecomeKeys(Map, Map)  [function, functional]
+
+  rule allValuesBecomeKeys(M:Map, N:Map) => #allValuesBecomeKeys(M, keysMap(N))
+
+  rule #allValuesBecomeKeys(.Map, _:Map) => true
+  // TODO: This does not work if the key is in the map. Fix it and everything else.
+  rule #allValuesBecomeKeys((_ |-> V M:Map) #as _:Map, N:Map)
+      => V in_keys(N) andBool #allValuesBecomeKeys(M, N)
+    [simplification]
+  rule #allValuesBecomeKeys(M:Map, (_ |-> _ N:Map) #as _:Map) => true
+    requires #allValuesBecomeKeys(M, N)
+    [simplification]
+
+  syntax Bool ::= mapsAreReverse(Map, Map) [function, functional]
+  syntax Bool ::= mapsAreReverseHalf(Map, Map) [function, functional]
+
+  rule mapsAreReverse(M:Map, N:Map)
+      => mapsAreReverseHalf(M, N) andBool mapsAreReverseHalf(N, M)
+
+  rule mapsAreReverseHalf(.Map, _:Map) => true
+  rule mapsAreReverseHalf((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
+      => V in_keys(N) andBool N[V] ==K K andBool mapsAreReverseHalf(M, N)
+    [simplification]
+
+  syntax Bool ::= mapIncluded(Map, Map) [function, functional]
+
+  rule mapIncluded(.Map, _:Map) => true
+  rule mapIncluded((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
+      => K in_keys(N) andBool N[K] ==K V andBool mapIncluded(M, N)
+    [simplification]
+  rule mapIncluded(M:Map, M:Map) => true
+    [simplification]
+  rule mapIncluded(M1:Map, _:KItem |-> _:KItem M2:Map) => true
+    requires M1 ==K M2
+    [simplification]
+  // Not sure why this does not work instead of the above:
+  rule mapIncluded(M:Map, _:KItem |-> _:KItem M:Map) => true
+    [simplification]
+
+  rule X:Int -Int X:Int => 0  [simplification]
+  // Int addition normalization
+  rule X:Int +Int (Y:Int +Int Z:Int) => (X +Int Y) +Int Z  [simplification]
+  // rule (X:Int +Int Y:Int) => (Y +Int X)  [simplification, concrete(X), symbolic(Y)]
+  rule (A:Int +Int I:Int) +Int B:Int => (A +Int B) +Int I [simplification, concrete(I), symbolic(A,B)]
+  //rule (X:Int +Int Y:Int) +Int Z:Int => X +Int (Y +Int Z) [simplification, concrete(Y), concrete(Z)]
+
+  syntax Bool ::= unusedIdsInMapKeys(lastIndex:Int, Map, expand:PropertyHandling)  [function, functional]
+
+  rule unusedIdsInMapKeys(_:Int, .Map, _:PropertyHandling) => true
+  rule unusedIdsInMapKeys(LastIndex:Int, (U:Usize |-> _:KItem M:Map) #as _:Map, Handling:PropertyHandling)
+    => unusedIdsInMapKeys(LastIndex, M, Handling)
+      andBool LastIndex >Int usizeToInt(U)
+    [simplification(30)]
+  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, expand(Expand:Expand))
+    => notBool u(LastIndex) in_keys(M)  // TODO: Maybe check before wrapping
+      andBool unusedIdsInMapKeys(LastIndex +Int 1, M, Expand)
+    [simplification]
+
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 4, M:Map, expanded)
+    => true
+    requires unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
+    [simplification]
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 2, M:Map, expanded)
+    => true
+    requires true
+      andBool notBool u(LastIndex +Int 2) in_keys(M)
+      andBool unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
+    [simplification]
+
+  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, usesExpanded)
+    => true
+    requires false
+      orBool unusedIdsInMapKeys(LastIndex, M, expanded)
+      orBool (true
+        andBool notBool u(LastIndex) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 1, M, expanded)
+      )
+      orBool (true
+        andBool notBool u(LastIndex) in_keys(M)
+        andBool notBool u(LastIndex +Int 1) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
+      )
+
+    [simplification]
+
+  /*
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, M:Map, usesExpanded)
+    => true
+    requires notBool u(LastIndex +Int 1) in_keys(M)
+      andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
+    [simplification]
+  */
+
+  syntax Bool ::= unusedIdsInMapValues(lastIndex:Int, Map, handling:PropertyHandling)  [function, functional]
+  rule unusedIdsInMapValues(_:Int, .Map, _:PropertyHandling) => true
+  rule unusedIdsInMapValues(
+          LastIndex:Int,
+          (_:KItem |-> Value:Usize M:Map) #as _:Map,
+          Handling:PropertyHandling
+      )
+      => unusedIdsInMapValues(LastIndex, M, Handling)
+      andBool LastIndex >Int usizeToInt(Value)
+    [simplification(10)]
+  rule unusedIdsInMapValues(LastIndex:Int, M:Map, expand(_:Expand))
+      => unusedIdsInMapValues(LastIndex, M, expanded)
+
+  rule unusedIdsInMapValues(LastIndex:Int +Int 3, M:Map, _:PropertyHandling)
+      => true
+    requires unusedIdsInMapValues(LastIndex +Int 2, M, expanded)
+    [simplification]
+
+  rule unusedIdsInMapValues(LastIndex:Int, M:Map, usesExpanded)
+      => true
+    requires false
+      orBool unusedIdsInMapValues(LastIndex -Int 1, M, expanded)
+      orBool unusedIdsInMapValues(LastIndex, M, expanded)
+    [simplification]
+
+  syntax Bool ::= noMapKeyInList(Map, ExpressionList)  [function, functional]
+  rule noMapKeyInList(.Map, _:ExpressionList) => true
+  // TODO: Do I need this?
+  rule noMapKeyInList(.Map, [.]) => true
+    [simplification]
+  rule noMapKeyInList(M:Map, [E:Expression, .]) => true
+    requires notBool E in_keys(M)
+    [simplification]
+  rule noMapKeyInList((K:KItem |-> _:KItem M:Map) #as _:Map, L:ExpressionList)
+    => true
+      andBool notBool #listContains(L, K)
+      andBool noMapKeyInList(M, L)
+    [simplification]
+  rule noMapKeyInList(M:Map, [#pushList(L:ExpressionCSV, E:Expression)])
+    => true
+    requires noMapKeyInList(M, [L])
+      andBool notBool E in_keys(M)
+    [simplification]
+
+  syntax Map ::= keysMap(Map)  [function, functional]
+  rule keysMap(.Map) => .Map
+  rule keysMap((K:KItem |-> _:KItem M:Map) #as _:Map) => K |-> 0 keysMap(M)
+    [simplification]
+  rule X:KItem in_keys(keysMap(M:Map)) => X in_keys(M)
+    [simplification]
+
+  rule #Ceil(@M:Map (@K:KItem |-> @V:KItem))
+      =>  {(@K in_keys(@M)) #Equals false}
+          #And #Ceil(@M)
+          #And #Ceil(@K)
+          #And #Ceil(@V)
+    [anywhere, simplification(20)]
+
+  syntax Int ::= countMapValues(Map, KItem)  [function, functional, smtlib(countMapValues)]
+  rule countMapValues(.Map, _) => 0
+  rule countMapValues(((_ |-> U) M:Map) #as _:Map, V:KItem) => countMapValues(M, V) +Int countValue(U, V)
+    [simplification]
+
+  syntax Int ::= countValue(KItem, KItem) [function, functional, smtlib(countMapValue)]
+  rule countValue(V:KItem, V:KItem) => 1
+  rule countValue(_:KItem, _:KItem) => 0 [owise]
+  //  requires notBool (V1 ==K V2)
+
+  rule 0 <=Int countValue(_:KItem, _:KItem) => true [simplification, smt-lemma]
+  rule countValue(_:KItem, _:KItem) >=Int 0 => true [simplification]
+  rule countValue(_:KItem, _:KItem) <=Int 1 => true [simplification, smt-lemma]
+
+  rule 0 <=Int countMapValues(_, _) => true  [simplification, smt-lemma]
+  rule countMapValues(_, _) >=Int 0 => true  [simplification]
+
+  rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
+
+  // TODO: Replace these with generic int rules.
+  rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int X:Int >=Int 0 => true
+    requires X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int X:Int >Int 0 => true
+    requires X >Int 0
+    [simplification]
+  rule countValue(_, _) +Int X:Int >=Int 0 => true
+    requires X >=Int 0
+    [simplification]
+  rule countValue(_, _) +Int X:Int >Int 0 => true
+    requires X >Int 0
+    [simplification]
+  /*
+  rule countMapValues(_, _) +Int 1 >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int 2 >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int 1 +Int countMapValues(_, _) >Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int countMapValues(_, _) +Int X:Int >Int 0
+      => true
+    requires X >Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int countValue(_, _) >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int countValue(_, _) +Int X:Int >=Int 0
+      => true
+    requires X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int countMapValues(_, _) +Int countValue(_, _) +Int 1 >Int 0
+      => true
+    [simplification]
+  */
+
+  // TODO: Proof for this.
+  syntax Bool ::= canSignFunction(UserRole)  [function, functional]
+  rule canSignFunction(Role:UserRole) => Role ==K BoardMember
+
+  syntax Int ::= countCanSignFunction(signerIDs:ExpressionList, userIdToRole:Map)  [function, functional]
+  syntax Int ::= #countCanSignFunction(userID:Usize, signerIDs:ExpressionList, userIdToRole:Map, value:KItem)  [function, functional]
+  rule countCanSignFunction([.], _:Map) => 0
+  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], UserId |-> Role:UserRole M:Map)
+      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires canSignFunction(Role)
+  rule countCanSignFunction([_:Expression, Es:ExpressionCSV], M)
+      => countCanSignFunction([Es], M)
+    [owise]
+
+  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], concat(UserId1:KItem, Role:UserRole, M:Map))
+    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
+    [simplification]
+  rule #countCanSignFunction(UserId:Usize, Es:ExpressionList, M:Map, Value:UserRole)
+      => 1 +Int countCanSignFunction(Es, M[UserId <- undef])
+    requires canSignFunction(Value)
+    [simplification]
+  rule #countCanSignFunction(_:Usize, Es:ExpressionList, M:Map, Value:UserRole)
+      => countCanSignFunction(Es, M)
+    requires notBool canSignFunction(Value)
+    [simplification]
+
+endmodule
+
+module PROOF-INSTRUMENTATION
+  imports MAP
+
+  imports PSEUDOCODE
+
+  syntax KItem ::= splitEquality(KItem, KItem)
+  rule splitEquality(A:KItem, B:KItem) => .K
+    requires A ==K B
+  rule splitEquality(A:KItem, B:KItem) => .K
+    requires notBool (A ==K B)
+
+  syntax KItem ::= splitBoolean(Bool)
+  rule splitBoolean(true) => .K
+  rule splitBoolean(false) => .K
+
+  syntax KItem ::= branchK(Bool, K, K)
+  rule branchK(true, K:K, _:K) => K
+  rule branchK(false, _:K, K:K) => K
+endmodule
+
+module EXECUTION-PROOF-BOOL
+  imports BOOL
+
+  rule B1:Bool orBool _:Bool => true
+    requires B1
+    [simplification]
+  rule _:Bool orBool B2:Bool => true
+    requires B2
+    [simplification]
+  rule B1:Bool orBool B2:Bool => B2
+    requires notBool B1
+    [simplification]
+  rule B1:Bool orBool B2:Bool => B1
+    requires notBool B2
+    [simplification]
+endmodule
+
+module EXECUTION-PROOF
+  imports EXECUTION-PROOF-BOOL
+  imports EXECUTION-PROOF-HELPERS
+  imports PROOF-INSTRUMENTATION
+
+  imports INVARIANT
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
new file mode 100644
index 000000000..ce3f2364c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -0,0 +1,376 @@
+module INVARIANT-HELPERS
+  imports EXECUTION-PROOF-HELPERS
+
+  syntax Bool ::= addressToUserIdInvariant(addressToUserId:Map)
+    [function, functional]
+
+  rule addressToUserIdInvariant(.Map) => true
+
+  rule addressToUserIdInvariant(_:KItem |-> V:KItem AddressToUserId:Map)
+    => true
+      andBool valueOfType(V, rUsize)  // valuesAreOfType(AddressToUserId, rUsize)
+      andBool isKResult(V)  // valuesAreKResult(AddressToUserId)
+      andBool valueIsNotEmpty(V, rUsize)  // valuesAreNotEmpty(AddressToUserId, rUsize)
+      andBool valueNotInMapValues(V, AddressToUserId)  // valuesAreDistinct(AddressToUserId)
+
+      andBool addressToUserIdInvariant(AddressToUserId)
+    [simplification]
+
+
+  syntax Bool ::= userIdToRoleInvariant(userIdToRole:Map)
+    [function, functional]
+
+  rule userIdToRoleInvariant(.Map) => true
+
+  rule userIdToRoleInvariant(_:KItem |-> V:KItem UserIdToRole:Map)
+    => true
+      andBool valueOfType(V, rUserRole)  // valuesAreOfType(UserIdToRole, rUserRole)
+      andBool isKResult(V)  // valuesAreKResult(UserIdToRole)
+      andBool valueIsNotEmpty(V, rUserRole)  // valuesAreNotEmpty(UserIdToRole, rUserRole)
+
+      andBool userIdToRoleInvariant(UserIdToRole:Map)
+    [simplification]
+
+
+  syntax Bool ::= actionDataInvariant(actionData:Map)
+    [function, functional]
+  rule actionDataInvariant(.Map) => true
+  rule actionDataInvariant(_:KItem |-> V:KItem ActionData:Map)
+    => true
+      andBool valueOfType(V, rAction) // valuesAreOfType(ActionData, rAction)
+      andBool isKResult(V)  // valuesAreKResult(ActionData)
+
+      andBool actionDataInvariant(ActionData)
+    [simplification]
+
+
+  syntax Bool ::= actionSignersInvariant(actionSigners:Map)
+    [function, functional]
+  rule actionSignersInvariant(.Map) => true
+  rule actionSignersInvariant(_:KItem |-> V:KItem ActionSigners:Map)
+    => true
+      andBool isExpressionList(V) andBool listElementsAreUsize(V) // valuesAreExpressionListOfUsize(ActionSigners)
+      andBool isKResult(V)  // valuesAreKResult(ActionSigners)
+
+      andBool actionSignersInvariant(ActionSigners)
+    [simplification]
+endmodule
+
+module INVARIANT
+  imports EXECUTION-PROOF-HELPERS
+  imports PSEUDOCODE
+  imports INVARIANT-HELPERS
+
+  syntax StateCell ::= invariantState(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map)  [function, functional]
+
+  syntax MultisigStateCell ::= invariantMultisigState(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map)  [function, functional]
+
+  syntax StateCell ::= invariantStateStack(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map,
+      callerAddress:KItem,
+      stack:List)  [function, functional]
+
+  rule invariantState(
+      NumUsers:Usize,
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      NumBoardMembers:Usize,
+      NumProposers:Usize,
+      UserIdToRole:Map,
+      Quorum:Usize,
+      ActionLastIndex:Usize,
+      ActionData:Map,
+      ActionSigners:Map)
+    =>
+      invariantStateStack(
+          NumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          NumBoardMembers,
+          NumProposers,
+          UserIdToRole,
+          Quorum,
+          ActionLastIndex,
+          ActionData,
+          ActionSigners,
+          uninitialized,
+          .List)
+
+  rule invariantStateStack(
+      NumUsers:Usize,
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      NumBoardMembers:Usize,
+      NumProposers:Usize,
+      UserIdToRole:Map,
+      Quorum:Usize,
+      ActionLastIndex:Usize,
+      ActionData:Map,
+      ActionSigners:Map,
+      CallerAddress:KItem,
+      Stack:List)
+    =>
+      <state>
+        invariantMultisigState(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners):MultisigStateCell
+        <pseudocode-state>
+          <variables>.Map</variables>
+          <stack> Stack </stack>
+        </pseudocode-state>
+        <external-call-env>
+          <caller-address>CallerAddress</caller-address>
+        </external-call-env>
+        <proof-state>
+          <last-instrumented> .K </last-instrumented>
+        </proof-state>
+      </state>
+
+  rule invariantMultisigState(
+      NumUsers:Usize,
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      NumBoardMembers:Usize,
+      NumProposers:Usize,
+      UserIdToRole:Map,
+      Quorum:Usize,
+      ActionLastIndex:Usize,
+      ActionData:Map,
+      ActionSigners:Map)
+    =>
+        <multisig-state>
+          <users>
+            <num-users>NumUsers</num-users>
+            <user-id-to-address>UserIdToAddress</user-id-to-address>
+            <address-to-user-id>AddressToUserId</address-to-user-id>
+          </users>
+          <board-state>
+            <num-board-members>NumBoardMembers</num-board-members>
+            <num-proposers>NumProposers</num-proposers>
+            <user-roles>UserIdToRole</user-roles>
+            <quorum>Quorum</quorum>
+          </board-state>
+          <action-state>
+            <action-last-index>ActionLastIndex</action-last-index>
+            <actions>
+              <action-data>ActionData</action-data>
+              <action-signers>ActionSigners</action-signers>
+            </actions>
+          </action-state>
+        </multisig-state>
+      
+  syntax Bool ::= invariant(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map,
+      handling:PropertyHandling)  [function, functional]
+
+  rule invariant(
+      u(NumUsers:Int),
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      u(NumBoardMembers:Int),
+      u(NumProposers:Int),
+      UserIdToRole:Map,
+      u(Quorum:Int),
+      u(ActionLastIndex:Int),
+      ActionData:Map,
+      ActionSigners:Map,
+      Handling:PropertyHandling)
+    => true
+      andBool notBool u(0) in_keys(UserIdToAddress)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool allValuesBecomeKeys(AddressToUserId, UserIdToAddress)
+      andBool allValuesBecomeKeys(UserIdToAddress, AddressToUserId)
+
+      andBool addressToUserIdInvariant(AddressToUserId)
+      // andBool valuesAreOfType(AddressToUserId, rUsize)
+      // andBool valuesAreKResult(AddressToUserId)
+      // andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+      // andBool valuesAreDistinct(AddressToUserId)
+      // TODO: Is unusedIdsInMapValues the same as noReusedIndexValue?
+      andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
+      andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
+
+      andBool userIdToRoleInvariant(UserIdToRole)
+      // andBool valuesAreOfType(UserIdToRole, rUserRole)
+      // andBool valuesAreKResult(UserIdToRole)
+      // andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), Handling)
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), Handling)
+      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionData))
+      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionSigners))
+
+      andBool actionSignersInvariant(ActionSigners)
+      // andBool valuesAreExpressionListOfUsize(ActionSigners)
+      // andBool valuesAreKResult(ActionSigners)
+
+      andBool actionDataInvariant(ActionData)
+      // andBool valuesAreOfType(ActionData, rAction)
+      // andBool valuesAreKResult(ActionData)
+
+      andBool NumUsers >=Int 0 // TODO: Strict >?
+      andBool NumBoardMembers >=Int 0
+      andBool NumProposers >=Int 0
+
+      andBool Quorum <=Int NumBoardMembers
+      andBool (NumBoardMembers +Int NumProposers >Int 0)
+
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
+      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+
+  // TODO: Delete.
+  syntax Bool ::= invariantDebug(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map,
+      handling:PropertyHandling)  [function, functional]
+
+  rule invariantDebug(
+      u(NumUsers:Int),
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      u(NumBoardMembers:Int),
+      u(NumProposers:Int),
+      UserIdToRole:Map,
+      u(Quorum:Int),
+      u(ActionLastIndex:Int),
+      ActionData:Map,
+      ActionSigners:Map,
+      Handling:PropertyHandling)
+    => true
+      andBool notBool u(0) in_keys(UserIdToAddress)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool allValuesBecomeKeys(AddressToUserId, UserIdToAddress)
+      andBool allValuesBecomeKeys(UserIdToAddress, AddressToUserId)
+
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+      andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
+      andBool valuesAreDistinct(AddressToUserId)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+      andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), Handling)
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), Handling)
+      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionData))
+      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionSigners))
+
+      andBool valuesAreExpressionListOfUsize(ActionSigners)
+      andBool valuesAreKResult(ActionSigners)
+
+      andBool valuesAreOfType(ActionData, rAction)
+      andBool valuesAreKResult(ActionData)
+
+      andBool NumUsers >=Int 0 // TODO: Strict >?
+      andBool NumBoardMembers >=Int 0
+      andBool NumProposers >=Int 0
+
+      andBool Quorum <=Int NumBoardMembers
+      andBool (NumBoardMembers +Int NumProposers >Int 0)
+
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
+      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+
+  syntax Bool ::= subset(Map, Map)  [function, functional]
+  rule subset(K:KItem |-> _:KItem M:Map, N:Map)
+      => K in_keys(N) andBool subset(M, N)
+    [simplification]
+  rule subset(M:Map, _:KItem |-> _:KItem N:Map)
+      => true
+    requires subset(M, N)
+    [simplification]
+
+  syntax Bool ::= maxMapKey(lastIndex:Usize, Map)  [function, functional]
+  rule maxMapKey(_:Usize, .Map) => true
+  rule maxMapKey(u(V:Int), u(K:Int) |-> _:KItem M:Map)
+      => (K <=Int V) andBool maxMapKey(u(V), M)
+  rule maxMapKey(u(V:Int), u(K:Int) |-> _:KItem M:Map)
+      => (K <=Int V) andBool maxMapKey(u(V), M)
+    [simplification]
+  rule maxMapKey(u(V:Int +Int 1), M:Map)
+      => true
+    requires maxMapKey(u(V:Int), M:Map)
+    [simplification]
+
+  rule isKResult(#pushList(Es:ExpressionCSV, E:Expression))
+    => isKResult(Es) andBool isKResult(E)
+    [simplification]
+
+  rule listElementsAreUsize([#pushList(Es:ExpressionCSV, E:Expression)])
+    => listElementsAreUsize([Es]) andBool isUsize(E)
+    [simplification]
+
+  rule isKResult(#listSwapRemove(Es:ExpressionCSV, _:Int))
+    => isKResult(Es)
+    [simplification]
+
+  // TODO: This is wrong, although it works in practice.
+  rule listElementsAreUsize([#listSwapRemove(Es:ExpressionCSV, _:Int)])
+    => listElementsAreUsize([Es])
+    [simplification]
+
+  rule A:Int +Int K:Int >Int B:Int => true
+    requires K >Int 0 andBool A >=Int B
+    [simplification]
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/Makefile b/multisig/protocol-correctness/proof/invariant/Makefile
new file mode 100644
index 000000000..609d0bcf5
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/Makefile
@@ -0,0 +1,36 @@
+include ../settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR = ..
+
+PROOF_DIR = ..
+include ../proof-dependency.mak
+
+INVARIANT_DIR = .
+include invariant.mak
+
+INVARIANT_PERFORM = $(wildcard $(INVARIANT_DIR)/proof-perform-*.k)
+FINVARIANT_PERFORM = $(filter-out $(INVARIANT_DIR)/proof-perform-action-endpoint.k, $(INVARIANT_PERFORM))
+INVARIANT_PERFORM_TIMESTAMPS = $(addprefix $(INVARIANT_OUT_PREFIX),$(notdir ${FINVARIANT_PERFORM:.k=.timestamp}))
+
+.PHONY: all clean execution short perform
+
+all: $(INVARIANT_OUT_PREFIX)proof.timestamp
+
+execution: $(INVARIANT_OUT_PREFIX)execution.timestamp
+
+short: $(INVARIANT_OUT_PREFIX)short-proofs.timestamp
+
+perform: $(INVARIANT_OUT_PREFIX)proofperform.timestamp
+
+$(INVARIANT_OUT_PREFIX)short-proofs.timestamp: $(INVARIANT_OUT_PREFIX)proof-init-loop.timestamp $(INVARIANT_OUT_PREFIX)proof-count-can-sign.timestamp $(INVARIANT_OUT_PREFIX)proof-init.timestamp $(INVARIANT_OUT_PREFIX)proof-listlen.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-1.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-2.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-3.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-change-quorum.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-nothing.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-1.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-2.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-5.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-s-c-call.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-s-c-deploy.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-send-egld.timestamp $(INVARIANT_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@touch $(INVARIANT_OUT_PREFIX)short-proof.timestamp
+
+$(INVARIANT_OUT_PREFIX)proofperform.timestamp: ${INVARIANT_PERFORM_TIMESTAMPS} $(INVARIANT_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@touch $(INVARIANT_OUT_PREFIX)proofperform.timestamp
+
+clean: invariant.clean
diff --git a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
new file mode 100644
index 000000000..eecf4bd95
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
@@ -0,0 +1,168 @@
+module COUNT-CAN-SIGN-PARTS
+  imports EXECUTION-PROOF-HELPERS
+  imports INVARIANT-HELPERS
+  imports PSEUDOCODE
+
+  syntax TTCell ::= countCanSignLhs(
+            signerIds:ExpressionList,
+            K,
+            UsersCell,
+            numBoardMembers:Usize,
+            numProposers:Usize,
+            userIdToRole:Map,
+            quorum:Usize,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell)
+      [function, functional]
+
+  rule countCanSignLhs(
+            SignerIds:ExpressionList,
+            K:K,
+            Users:UsersCell,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Variables:Map,
+            Stack:List,
+            ExternalCallEnv:ExternalCallEnvCell)
+      => <TT>
+          <k>
+            call(countCanSign(SignerIds))
+            ~> K
+          </k>
+          <state>
+            <multisig-state>
+              Users:UsersCell
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>Variables</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            ExternalCallEnv
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+          </state>
+        </TT>
+
+  syntax TTCell ::= countCanSignRhs(
+            count:Usize,
+            K,
+            UsersCell,
+            numBoardMembers:Usize,
+            numProposers:Usize,
+            userIdToRole:Map,
+            quorum:Usize,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell)
+      [function, functional]
+
+  rule countCanSignRhs(
+            Count:Usize,
+            K:K,
+            Users:UsersCell,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Variables:Map,
+            Stack:List,
+            ExternalCallEnv:ExternalCallEnvCell)
+      => <TT>
+          <k>
+            evaluate(Count) ~> K
+          </k>
+          <state>
+            <multisig-state>
+              Users
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>Variables </variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            ExternalCallEnv
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+          </state>
+        </TT>
+
+  syntax Bool ::= countCanSignRequires(
+            signerIds:ExpressionList,
+            UsersCell,
+            numBoardMembers:KItem,
+            numProposers:Usize,
+            userIdToRole:Map,
+            quorum:KItem,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell)
+      [function, functional]
+
+  rule countCanSignRequires(
+            SignerIds:ExpressionList,
+            _Users:UsersCell,
+            _NumBoardMembers:KItem,
+            _NumProposers:Usize,
+            UserIdToRole:Map,
+            _Quorum:KItem,
+            _ActionState:ActionStateCell,
+            Variables:Map,
+            _Stack:List,
+            _ExternalCallEnv:ExternalCallEnvCell)
+      =>
+        isKResult(SignerIds)
+        andBool listElementsAreUsize(SignerIds)
+        andBool (notBool result in_keys(Variables))
+        andBool (notBool user_role in_keys(Variables))
+        andBool userIdToRoleInvariant(UserIdToRole)
+
+  syntax Bool ::= countCanSignEnsures(
+            count:Usize,
+            UsersCell,
+            numBoardMembers:KItem,
+            numProposers:Usize,
+            userIdToRole:Map,
+            quorum:KItem,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell)
+      [function, functional]
+
+  rule countCanSignEnsures(
+            _Count:Usize,
+            _Users:UsersCell,
+            _NumBoardMembers:KItem,
+            _NumProposers:Usize,
+            _UserIdToRole:Map,
+            _Quorum:KItem,
+            _ActionState:ActionStateCell,
+            _Variables:Map,
+            _Stack:List,
+            _ExternalCallEnv:ExternalCallEnvCell)
+      => true
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
new file mode 100644
index 000000000..1030b40a9
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -0,0 +1,232 @@
+module INIT-LOOP-PARTS
+  imports PSEUDOCODE
+  imports EXECUTION-PROOF-HELPERS
+  imports INVARIANT-HELPERS
+
+  syntax TTCell ::= initLoopLhs(
+            prevIndex:Usize,
+            addresses:ExpressionList,
+            K,
+            userIdToAddress:Map,
+            addressToUserId:Map,
+            userIdToRole:Map,
+            quorum:Usize,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell,
+            address:Expression,
+            userId:Usize)
+      [function, functional]
+  rule initLoopLhs(
+            PrevIndex:Usize,
+            Addresses:ExpressionList,
+            K:K,
+            UserIdToAddress0:Map,
+            AddressToUserId0:Map,
+            UserIdToRole0:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Variables:Map,
+            Stack:List,
+            ExternalCallEnv:ExternalCallEnvCell,
+            Address:Expression,
+            UserId:Usize)
+      => <TT>
+          <k>
+            runInstruction(
+                for (i = add(PrevIndex, u(1)), address ) in Addresses {
+                    user_id = i + u(1);
+                    require(getUserId(address) == u(0));
+                    setUserId(address, user_id);
+                    setUserAddress(user_id, address);
+                    setUserIdToRole(user_id, BoardMember);
+                }
+            )
+            ~> K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(0)</num-users>
+                <user-id-to-address>UserIdToAddress0</user-id-to-address>
+                <address-to-user-id>AddressToUserId0</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(0)</num-board-members>
+                <num-proposers>u(0)</num-proposers>
+                <user-roles>UserIdToRole0</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>
+                i |-> PrevIndex
+                address |-> Address
+                user_id |-> UserId
+                Variables
+              </variables>
+              <stack> Stack </stack>
+            </pseudocode-state>
+            ExternalCallEnv
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+
+          </state>
+        </TT>
+
+  syntax TTCell ::= initLoopRhs(
+            KItem,
+            K,
+            userIdToAddress:Map,
+            addressToUserId:Map,
+            userIdToRole:Map,
+            quorum:Usize,
+            ActionStateCell,
+            variables:Map,
+            stack:List,
+            ExternalCallEnvCell,
+            index:Usize,
+            address:Expression,
+            userId:Usize)
+      [function, functional]
+  rule initLoopRhs(
+            Item:KItem,
+            K:K,
+            UserIdToAddress1:Map,
+            AddressToUserId1:Map,
+            UserIdToRole1:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Variables:Map,
+            Stack:List,
+            ExternalCallEnv:ExternalCallEnvCell,
+            Index:Usize,
+            Address:Expression,
+            UserId:Usize)
+      =>
+        <TT>
+          <k> Item ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(0)</num-users>
+                <user-id-to-address>UserIdToAddress1</user-id-to-address>
+                <address-to-user-id>AddressToUserId1:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(0)</num-board-members>
+                <num-proposers>u(0)</num-proposers>
+                <user-roles>UserIdToRole1</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>
+                (i |-> Index)
+                (address |-> Address)
+                (user_id |-> UserId)
+                Variables
+              </variables>
+              <stack> Stack </stack>
+            </pseudocode-state>
+            ExternalCallEnv
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+          </state>
+        </TT>
+
+  syntax Bool ::= initLoopRequires(
+            prevIndex:Usize,
+            addresses:ExpressionList,
+            userIdToAddress:Map,
+            addressToUserId:Map,
+            userIdToRole:Map)
+      [function, functional]
+  rule initLoopRequires(
+            u(PrevIndex:Int),
+            Addresses:ExpressionList,
+            UserIdToAddress0:Map,
+            AddressToUserId0:Map,
+            UserIdToRole0:Map)
+      => true
+            andBool PrevIndex >=Int 0
+            andBool isKResult(Addresses)
+
+            andBool noReusedIndexAddress(add(u(PrevIndex), u(2)), UserIdToAddress0, Addresses)
+            andBool noReusedIndexRole(add(u(PrevIndex), u(2)), UserIdToRole0, Addresses)
+            andBool listElementsAreAddresses(Addresses)
+
+            andBool initLoopInvariant(
+                        add(u(PrevIndex), u(1)),
+                        UserIdToAddress0,
+                        AddressToUserId0,
+                        UserIdToRole0,
+                        expand(expanded))
+
+  syntax Bool ::= initLoopEnsures(
+      numUsers:Usize,
+      addresses:ExpressionList,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      userIdToRole0:Map,
+      userIdToRole:Map)  [function, functional]
+
+  rule initLoopEnsures(
+      NumUsers:Usize,
+      Addresses:ExpressionList,
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      UserIdToRole0:Map,
+      UserIdToRole:Map)
+    => true
+      andBool initLoopInvariant(
+                  NumUsers,
+                  UserIdToAddress,
+                  AddressToUserId,
+                  UserIdToRole,
+                  usesExpanded)
+      andBool pListLen(Addresses)
+                  +Int countMapValues(UserIdToRole0, BoardMember)
+              ==Int countMapValues(UserIdToRole, BoardMember)
+
+  syntax Bool ::= initLoopInvariant(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      userIdToRole:Map,
+      handling:PropertyHandling)  [function, functional]
+
+  rule initLoopInvariant(
+      u(NumUsers:Int),
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      UserIdToRole:Map,
+      Handling:PropertyHandling)
+    => true
+      andBool notBool u(0) in_keys(UserIdToAddress)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool allValuesBecomeKeys(AddressToUserId, UserIdToAddress)
+      andBool allValuesBecomeKeys(UserIdToAddress, AddressToUserId)
+
+      andBool addressToUserIdInvariant(AddressToUserId)
+      // andBool valuesAreOfType(AddressToUserId, rUsize)
+      // andBool valuesAreKResult(AddressToUserId)
+      // andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+      // andBool valuesAreDistinct(AddressToUserId)
+      andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
+      andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
+
+      andBool userIdToRoleInvariant(UserIdToRole)
+      // andBool valuesAreOfType(UserIdToRole, rUserRole)
+      // andBool valuesAreKResult(UserIdToRole)
+      // andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
+
+      andBool 0 ==Int countMapValues(UserIdToRole, Proposer)
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
new file mode 100644
index 000000000..2f10c7cb1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -0,0 +1,259 @@
+require "../execution-proof.k"
+
+require "count-can-sign-parts.k"
+require "init-loop-parts.k"
+require "perform-parts.k"
+
+module INVARIANT-EXECUTION-SYNTAX
+  imports EXECUTION-PROOF-SYNTAX
+endmodule
+
+// TODO: Delete.
+module TEST
+  imports INT
+
+  syntax KItem ::= sub(Int)
+  rule sub(I:Int) => .K requires I <=Int 0
+  rule sub(I:Int) => sub(I -Int 1) requires notBool (I <=Int 0)
+endmodule
+
+module INVARIANT-INSTRUMENTATION
+  imports MAP
+
+  imports PROOF-INSTRUMENTATION
+  imports PSEUDOCODE
+
+  syntax Singleton ::= "singleton"
+
+  syntax IntVarList ::= vars(Int, IntVarList)
+                    |   ".IntVarList"
+
+  syntax Bool ::= isLazyConcretize(KItem)  [function, functional]
+  rule isLazyConcretize(lazyConcretizeKeysFreezer) => true
+  rule isLazyConcretize(lazyConcretizeKeys(_:Map)) => true
+  rule isLazyConcretize(lazyConcretizeValues(_:Map)) => true
+  rule isLazyConcretize(_:KItem) => false  [owise]
+
+  rule  nullableMapLookup(_:KItem, M:Map, _:ReflectionType)
+        ~> (.K => lazyConcretizeKeys(M))
+        ~> K:KItem
+    requires notBool isLazyConcretize(K)
+     [priority(20)]
+  rule (E:Expression => .K) ~> lazyConcretizeKeys(_) ~> (.K => E)
+    [priority(20)]
+
+  rule  nullableMapSet(_:KItem, _:KItem, _:Map, _:ReflectionType)  // This may be needed only for addressToUserID, in init.
+        ~> (.K => lazyConcretizeKeysFreezer)
+        ~> K:KItem
+    requires notBool isLazyConcretize(K)
+    [priority(20)]
+  rule (M:Map ~> lazyConcretizeKeysFreezer) => (lazyConcretizeKeys(M) ~> M)
+    [priority(20)]
+
+  syntax Singleton ::= concretizeKeys(Map, IntVarList)  [function, functional]
+  rule concretizeKeys((K:Usize |-> _:KItem M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
+      => concretizeKeys(M, Vars)
+    ensures K ==K u(U:Int)
+      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
+    [simplification(40)]
+  rule concretizeKeys(_:Map, _:IntVarList) => singleton
+    [simplification(50)]
+
+  syntax Singleton ::= concretizeValues(Map, IntVarList)  [function, functional]
+  rule concretizeValues((_:KItem |-> V:Usize M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
+      => concretizeValues(M, Vars)
+    ensures V ==K u(U:Int)
+      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
+    [simplification(40)]
+  rule concretizeValues(_:Map, _:IntVarList) => singleton
+    [simplification(50)]
+
+  syntax KItem ::= concretized(Singleton)
+  rule concretized(singleton) => .K
+
+  syntax KItem ::= "lazyConcretizeKeysFreezer"
+
+  syntax KItem ::= lazyConcretizeKeys(Map)
+  rule lazyConcretizeKeys(M:Map) => concretized(concretizeKeys(M, vars(?_, vars(?_, .IntVarList))))
+
+  syntax KItem ::= lazyConcretizeValues(Map)
+  rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
+
+  syntax KItem ::= "splitting-action"
+  rule  <k> pushContext ~> (.K => splitAction(A) ~> splitting-action) ~> call(performAction(A:Action))
+        ...</k>
+    [priority(10)]
+  rule  <k> (splitting-action => .K) ...</k>
+    [priority(20)]
+
+  syntax KItem ::= splitAction(Action)
+  rule splitAction(Nothing) => .K
+  rule splitAction(AddBoardMember(_:Address)) => .K
+  rule splitAction(AddProposer(_:Address)) => .K
+  rule splitAction(RemoveUser(address(_:Int))) => .K
+  rule splitAction(ChangeQuorum(_:Usize)) => .K
+  rule splitAction(SendEgld(_To:Address, _Amount:BigUint, _Data:BoxedBytes)) => .K
+  rule splitAction(SCDeploy(
+          _Amount:BigUint,
+          _Code:BoxedBytes,
+          _CodeMetadata:CodeMetadata,
+          _Arguments:ExpressionList))
+      => .K
+  rule splitAction(SCCall(
+          _To:Address,
+          _Amount:BigUint,
+          _Function:BoxedBytes,
+          _Arguments:ExpressionList))
+      => .K
+
+  syntax KItem ::= "splitting-delete-caller"
+  rule  <k> (
+              splitting-action
+              =>  splitEquality(A1, A2)  // TODO: remove
+                  ~> splitBoolean(A1 in_keys(AddressToUserId))
+                  ~> splitting-delete-caller
+            )
+            ~> call(performAction(RemoveUser(A1:Address)))
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>A2:KItem</caller-address>
+    [priority(10)]
+  rule  <k> (splitting-delete-caller => .K) ...</k>
+    [priority(20)]
+
+  syntax KItem ::= "splitting-delete-address-to-user-id"
+  rule  <k> (
+              splitting-delete-caller
+              => splitMap(
+                  A, AddressToUserId,
+                  ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
+                ~> cast(AddressToUserId[A], rUsize)
+                ~> removeValue
+                ~> splitting-delete-address-to-user-id
+            )
+            ~> call(performAction(RemoveUser(A:Address)))
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires A in_keys(AddressToUserId)
+    [priority(10)]
+  rule  <k> (splitting-delete-caller => .K)
+            ~> call(performAction(RemoveUser(A:Address)))
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires notBool (A in_keys(AddressToUserId))
+    [priority(10)]
+  rule  <k> (splitting-delete-address-to-user-id => .K) ...</k>
+    [priority(20)]
+
+  syntax KItem ::= "splitting-user-id-to-role"
+  rule  <k> (
+              splitting-delete-address-to-user-id
+              => splitMap(
+                  UserId, UserIdToRole,
+                  ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
+                ~> cast(UserIdToRole[UserId], rUserRole)
+                ~> removeValue
+                ~> lazyConcretizeKeys(UserIdToRole)
+                ~> splitBoolean(UserIdToRole[UserId] ==K BoardMember)
+                ~> splitBoolean(Quorum <=Int NumBoardMembers -Int 1)
+                ~> splitBoolean(Quorum <=Int NumBoardMembers)
+                ~> splitBoolean(NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+                ~> splitting-user-id-to-role
+            )
+            ~> call(performAction(RemoveUser(A:Address)))
+        ...</k>
+        <address-to-user-id> A |-> UserId:KItem _AddressToUserId:Map</address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+        <num-proposers>u(NumProposers:Int)</num-proposers>
+        <quorum>u(Quorum:Int)</quorum>
+    requires UserId in_keys(UserIdToRole)
+    [priority(10)]
+  rule  <k> (splitting-delete-address-to-user-id => .K)
+            ~> call(performAction(RemoveUser(A:Address)))
+        ...</k>
+        <address-to-user-id> A |-> UserId:KItem _AddressToUserId:Map</address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+    requires notBool (UserId in_keys(UserIdToRole))
+    [priority(10)]
+  rule  <k> (splitting-user-id-to-role => .K) ...</k>
+    [priority(20)]
+
+  syntax KItem ::= concretizeValue(KItem)
+  rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
+  rule concretizeValue(u(V:Int)) => concretizeValue(V)
+  rule concretizeValue(address(V:Int)) => concretizeValue(V)
+  rule concretizeValue(BoardMember) => .K
+  rule concretizeValue(Proposer) => .K
+  rule concretizeValue(None) => .K
+
+  rule concretizeValue(_) => .K [priority(200)]
+
+  syntax KItem ::= "concretize-sc-deploy"
+  rule  <k> (
+              splitting-action
+              =>  concretizeValue(Arguments)
+                  ~> concretize-sc-deploy
+            )
+            ~> call(performAction(SCDeploy(
+                        _Amount:BigUint,
+                        _Code:BoxedBytes,
+                        _CodeMetadata:CodeMetadata,
+                        Arguments:ExpressionList)))
+        ...</k>
+    [priority(10)]
+  rule  concretize-sc-deploy => .K
+    [priority(20)]
+
+  syntax KItem ::= lazySplitMap(k:KItem, m:Map, value:KItem, remainder:Map)
+  rule lazySplitMap(K:KItem, M:Map, Value:KItem, Remainder:Map)
+      => splitMap(K, M, Value, Remainder)
+
+  syntax KItem ::= "splitting-add-proposer-in-keys-atuid"
+  rule  <k> (
+              splitting-action
+              =>   splitEquality(A1, A2)
+                ~> splitBoolean(A1 in_keys(AddressToUserId))
+                ~> branchK(
+                    A1 in_keys(AddressToUserId),
+                    lazySplitMap(
+                        A1, AddressToUserId,
+                        ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
+                      ~> cast(AddressToUserId[A1], rUsize)
+                      ~> removeValue
+                      ~> concretizeValue(AddressToUserId[A1])
+                      ~> concretizeValue(A1)
+                      ~> lazySplitMap(
+                          AddressToUserId[A1], UserIdToRole,
+                          ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
+                      ~> cast(UserIdToRole[AddressToUserId[A1]], rUserRole)
+                      ~> removeValue
+                      ~> concretizeValue(UserIdToRole[AddressToUserId[A1]])
+                      ~> .K,
+                    .K
+                  )
+                ~> splitting-add-proposer-in-keys-atuid
+            )
+            ~> call(performAction(AddProposer(A1:Address)))
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>A2:KItem</caller-address>
+    [priority(10)]
+  rule  splitting-add-proposer-in-keys-atuid => .K
+    [priority(20)]
+
+endmodule
+
+module INVARIANT-EXECUTION
+  imports EXECUTION-PROOF
+
+  imports INVARIANT-INSTRUMENTATION
+
+  imports COUNT-CAN-SIGN-PARTS
+  imports INIT-LOOP-PARTS
+  imports PERFORM-PARTS
+
+  // TODO: Delete.
+  imports TEST
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/invariant.mak b/multisig/protocol-correctness/proof/invariant/invariant.mak
new file mode 100644
index 000000000..c1233f735
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/invariant.mak
@@ -0,0 +1,41 @@
+INVARIANT_OUT_PREFIX=out/invariant.
+
+INVARIANT_ALL := $(wildcard $(INVARIANT_DIR)/*.k)
+INVARIANT_PROOFS := $(wildcard $(INVARIANT_DIR)/proof-*.k)
+INVARIANT_EXECUTION := $(filter-out $(INVARIANT_PROOFS), $(INVARIANT_ALL)) $(PROOF_EXECUTION)
+
+INVARIANT_PROOF_TIMESTAMPS := $(addprefix $(INVARIANT_OUT_PREFIX),$(notdir ${INVARIANT_PROOFS:.k=.timestamp}))
+INVARIANT_PROOF_DEBUGGERS := $(addprefix $(INVARIANT_OUT_PREFIX),${INVARIANT_PROOFS:.k=.debugger})
+
+.PHONY: invariant.clean ${INVARIANT_PROOF_DEBUGGERS}
+
+$(INVARIANT_OUT_PREFIX)proof.timestamp: ${INVARIANT_PROOF_TIMESTAMPS} $(INVARIANT_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@touch $(INVARIANT_OUT_PREFIX)proof.timestamp
+
+$(INVARIANT_OUT_PREFIX)proof-%.timestamp: $(INVARIANT_DIR)/proof-%.k $(INVARIANT_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Proving $*..."
+	@cat /proc/uptime | sed 's/\s.*//' > $(INVARIANT_OUT_PREFIX)proof-$*.duration.temp
+	@((kprove $< --directory $(INVARIANT_DIR) --haskell-backend-command $(BACKEND_COMMAND) > $(INVARIANT_OUT_PREFIX)proof-$*.out 2>&1) && echo "$* done") || (cat $(INVARIANT_OUT_PREFIX)proof-$*.out; echo "$* failed"; echo "$*" >> $(INVARIANT_OUT_PREFIX)failures; false)
+	@cat /proc/uptime | sed 's/\s.*//' >> $(INVARIANT_OUT_PREFIX)proof-$*.duration.temp
+	@$(SCRIPT_DIR)/compute-duration.py $(INVARIANT_OUT_PREFIX)proof-$*.duration.temp > $(INVARIANT_OUT_PREFIX)proof-$*.duration
+	@rm $(INVARIANT_OUT_PREFIX)proof-$*.duration.temp
+	@touch $(INVARIANT_OUT_PREFIX)proof-$*.timestamp
+
+$(INVARIANT_OUT_PREFIX)proof-%.debugger: $(INVARIANT_OUT_PREFIX)proof-%.k $(INVARIANT_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Debugging $*..."
+	@kprove $< --directory $(INVARIANT_DIR) --haskell-backend-command $(DEBUG_COMMAND)
+
+$(INVARIANT_OUT_PREFIX)execution.timestamp: $(INVARIANT_DIR)/invariant-execution.k ${INVARIANT_EXECUTION}
+	$(DIR_GUARD)
+	@echo "Compiling execution..."
+	@kompile $< --backend haskell --directory $(INVARIANT_DIR)
+	@touch $(INVARIANT_OUT_PREFIX)execution.timestamp
+
+invariant.clean:
+	-rm -r $(INVARIANT_DIR)/*-kompiled
+	-rm -r .kprove-*
+	-rm kore-*.tar.gz
+	-rm $(INVARIANT_OUT_PREFIX)*
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
new file mode 100644
index 000000000..b3b4db662
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -0,0 +1,239 @@
+module PERFORM-PARTS
+
+  imports EXECUTION-PROOF-HELPERS
+  imports INVARIANT-HELPERS
+  imports PSEUDOCODE
+
+  syntax Bool ::= performRequires(
+      action:Action,
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize)
+    [function, functional]
+  syntax Bool ::= performEnsures(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize)
+    [function, functional]
+  syntax Bool ::= performInvariant(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      handling:PropertyHandling)
+    [function, functional]
+  syntax TTCell ::= performLhs(
+      action:Action,
+      K,
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      ActionStateCell,
+      stack:List,
+      callerAddress:Address)
+    [function, functional]
+  syntax TTCell ::= performRhs(
+          result:KItem,
+          K,
+          numUsers:Usize,
+          userIdToAddress:Map,
+          addressToUserId:Map,
+          numBoardMembers:Usize,
+          numProposers:Usize,
+          userIdToRole:Map,
+          quorum:Usize,
+          ActionStateCell,
+          variables:Map,
+          stack:List,
+          callerAddress:Address)
+      [function, functional]
+
+  rule performRequires(
+          Action:Action,
+          UNumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          u(NumBoardMembers:Int),
+          u(NumProposers:Int),
+          UserIdToRole:Map,
+          u(Quorum:Int))
+    => true
+      andBool isKResult(Action)
+      andBool performInvariant(
+          UNumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          u(NumBoardMembers:Int),
+          u(NumProposers:Int),
+          UserIdToRole:Map,
+          u(Quorum:Int),
+          expand(expanded))
+
+  rule performEnsures(
+          UNumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          u(NumBoardMembers:Int),
+          u(NumProposers:Int),
+          UserIdToRole:Map,
+          u(Quorum:Int))
+    => true
+      andBool performInvariant(
+          UNumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          u(NumBoardMembers:Int),
+          u(NumProposers:Int),
+          UserIdToRole:Map,
+          u(Quorum:Int),
+          usesExpanded)
+
+  // TODO: Use the main invariant.
+  rule performInvariant(
+          u(NumUsers:Int),
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          u(NumBoardMembers:Int),
+          u(NumProposers:Int),
+          UserIdToRole:Map,
+          u(Quorum:Int),
+          Handling:PropertyHandling)
+    => true
+      andBool notBool u(0) in_keys(UserIdToAddress)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool allValuesBecomeKeys(AddressToUserId, UserIdToAddress)
+      andBool allValuesBecomeKeys(UserIdToAddress, AddressToUserId)
+
+      andBool addressToUserIdInvariant(AddressToUserId)
+      // andBool valuesAreOfType(AddressToUserId, rUsize)
+      // andBool valuesAreKResult(AddressToUserId)
+      // andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+      // andBool valuesAreDistinct(AddressToUserId)
+      andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
+      andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
+
+      andBool userIdToRoleInvariant(UserIdToRole)
+      // andBool valuesAreOfType(UserIdToRole, rUserRole)
+      // andBool valuesAreKResult(UserIdToRole)
+      // andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
+
+      andBool NumUsers >=Int 0 // TODO: Strict >?
+      andBool NumBoardMembers >=Int 0
+      andBool NumProposers >=Int 0
+
+      andBool Quorum <=Int NumBoardMembers
+      andBool (NumBoardMembers +Int NumProposers >Int 0)
+
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
+      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+  rule performLhs(
+          Action:Action,
+          K:K,
+          NumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          NumBoardMembers:Usize,
+          NumProposers:Usize,
+          UserIdToRole:Map,
+          Quorum:Usize,
+          ActionState:ActionStateCell,
+          Stack:List,
+          CallerAddress:Address)
+        =>
+        <TT>
+          <k> call(performAction(Action)) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>
+                .Map
+              </variables>
+              <stack> Stack </stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+          </state>
+        </TT>
+
+  rule performRhs(
+          Result:KItem,
+          K:K,
+          NumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          NumBoardMembers:Usize,
+          NumProposers:Usize,
+          UserIdToRole:Map,
+          Quorum:Usize,
+          ActionState:ActionStateCell,
+          Variables:Map,
+          Stack:List,
+          CallerAddress:Address)
+        =>
+        <TT>
+          <k> Result ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>
+                Variables
+              </variables>
+              <stack> Stack </stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <proof-state>
+              <last-instrumented> .K </last-instrumented>
+            </proof-state>
+          </state>
+        </TT>
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
new file mode 100644
index 000000000..34c9e48d2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
@@ -0,0 +1,112 @@
+module TRUSTED-COUNT-CAN-SIGN
+  imports COUNT-CAN-SIGN-PARTS
+
+  claim <T> countCanSignLhs(
+                SignerIds:ExpressionList,
+                K:K,
+                Users:UsersCell,
+                NumBoardMembers:Usize,
+                NumProposers:Usize,
+                UserIdToRole:Map,
+                Quorum:Usize,
+                ActionState:ActionStateCell,
+                Variables:Map,
+                Stack:List,
+                ExternalCallEnv:ExternalCallEnvCell)
+        </T>
+      => <T> countCanSignRhs(
+                u(countCanSignFunction(SignerIds, opaque(UserIdToRole))),
+                K,
+                Users,
+                NumBoardMembers,
+                NumProposers,
+                UserIdToRole,
+                Quorum,
+                ActionState,
+                ?Variables:Map,
+                Stack,
+                ExternalCallEnv)
+        </T>
+    requires
+        countCanSignRequires(
+            SignerIds,
+            Users,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            Variables,
+            Stack,
+            ExternalCallEnv)
+    ensures
+        countCanSignEnsures(
+            ?Count,
+            Users,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?Variables,
+            Stack,
+            ExternalCallEnv)
+    [trusted]
+
+endmodule
+
+module PROOF-COUNT-CAN-SIGN
+  imports INVARIANT-EXECUTION
+
+  claim <T> countCanSignLhs(
+                SignerIds:ExpressionList,
+                K:K,
+                Users:UsersCell,
+                NumBoardMembers:Usize,
+                NumProposers:Usize,
+                UserIdToRole:Map,
+                Quorum:Usize,
+                ActionState:ActionStateCell,
+                Variables:Map,
+                Stack:List,
+                ExternalCallEnv:ExternalCallEnvCell)
+        </T>
+      => <T> countCanSignRhs(
+                ?Count:Usize,
+                K,
+                Users,
+                NumBoardMembers,
+                NumProposers,
+                UserIdToRole,
+                Quorum,
+                ActionState,
+                ?Variables:Map,
+                Stack,
+                ExternalCallEnv)
+        </T>
+    requires
+        countCanSignRequires(
+            SignerIds,
+            Users,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            Variables,
+            Stack,
+            ExternalCallEnv)
+    ensures
+        countCanSignEnsures(
+            ?Count,
+            Users,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?Variables,
+            Stack,
+            ExternalCallEnv)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
new file mode 100644
index 000000000..fbdf20de6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
@@ -0,0 +1,66 @@
+require "proof-count-can-sign.k"
+
+module PROOF-DISCARD-ACTION
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+  imports TRUSTED-COUNT-CAN-SIGN
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run discardAction(ActionId:Usize);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers,
+        UserIdToAddress,
+        AddressToUserId,
+        NumBoardMembers,
+        NumProposers,
+        UserRoles,
+        Quorum,
+        ActionLastIndex0,
+        ActionData0,
+        ActionSigners0,
+        expand(expanded))
+    ensures invariant(
+        NumUsers,
+        UserIdToAddress,
+        AddressToUserId,
+        NumBoardMembers,
+        NumProposers,
+        UserRoles,
+        Quorum,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-init-loop.k b/multisig/protocol-correctness/proof/invariant/proof-init-loop.k
new file mode 100644
index 000000000..bca6f8bc7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-init-loop.k
@@ -0,0 +1,188 @@
+module TRUSTED-INIT-LOOP
+  imports INVARIANT-EXECUTION
+  imports INIT-LOOP-PARTS
+  imports PSEUDOCODE
+
+  claim <T> initLoopLhs(
+              PrevIndex:Usize,
+              Addresses:ExpressionList,
+              K:K,
+              UserIdToAddress0:Map,
+              AddressToUserId0:Map,
+              UserIdToRole0:Map,
+              Quorum:Usize,
+              ActionState:ActionStateCell,
+              .Map,  // TODO: Variables:Map,
+              Stack:List,
+              ExternalCallEnv:ExternalCallEnvCell,
+              _Address0:Expression,
+              _UserId0:Usize)
+        </T>
+      =>
+        <T> initLoopRhs(
+              evaluate(void),
+              K,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?UserIdToRole1,
+              Quorum,
+              ActionState,
+              .Map,  // TODO: Variables,
+              Stack,
+              ExternalCallEnv,
+              add(PrevIndex, u(pListLen(Addresses))),
+              ?_Address1:Expression,
+              ?_UserId1:Usize)
+        </T>
+    requires
+        initLoopRequires(
+            PrevIndex,
+            Addresses,
+            UserIdToAddress0,
+            AddressToUserId0,
+            UserIdToRole0)
+        andBool noCommonItem(add(PrevIndex, u(2)), AddressToUserId0, Addresses)
+    ensures
+        initLoopEnsures(
+            add(add(PrevIndex, u(pListLen(Addresses))), u(1)),
+            Addresses,
+            ?UserIdToAddress1,
+            ?AddressToUserId1,
+            UserIdToRole0,
+            ?UserIdToRole1)
+  [trusted]
+
+  claim <T> initLoopLhs(
+              PrevIndex:Usize,
+              Addresses:ExpressionList,
+              K:K,
+              UserIdToAddress0:Map,
+              AddressToUserId0:Map,
+              UserIdToRole0:Map,
+              Quorum:Usize,
+              ActionState:ActionStateCell,
+              .Map,  // TODO: Variables:Map,
+              Stack:List,
+              ExternalCallEnv:ExternalCallEnvCell,
+              _Address0:Expression,
+              _UserId0:Usize)
+        </T>
+      =>
+        <T> initLoopRhs(
+              error,
+              K,
+              ?_UserIdToAddress1:Map,
+              ?_AddressToUserId1:Map,
+              ?_UserIdToRole1:Map,
+              Quorum,
+              ActionState,
+              .Map,  // TODO: Variables,
+              Stack,
+              ExternalCallEnv,
+              add(PrevIndex, u(pListLen(Addresses))),
+              ?_Address1:Expression,
+              ?_UserId1:Usize)
+        </T>
+    requires
+        initLoopRequires(
+            PrevIndex,
+            Addresses,
+            UserIdToAddress0,
+            AddressToUserId0,
+            UserIdToRole0)
+        andBool notBool noCommonItem(add(PrevIndex, u(2)), AddressToUserId0, Addresses)
+    [trusted]
+endmodule
+
+module PROOF-INIT-LOOP
+  imports INIT-LOOP-PARTS
+
+  claim <T> initLoopLhs(
+              PrevIndex:Usize,
+              Addresses:ExpressionList,
+              K:K,
+              UserIdToAddress0:Map,
+              AddressToUserId0:Map,
+              UserIdToRole0:Map,
+              Quorum:Usize,
+              ActionState:ActionStateCell,
+              .Map,  // TODO: Variables:Map,
+              Stack:List,
+              ExternalCallEnv:ExternalCallEnvCell,
+              _Address0:Expression,
+              _UserId0:Usize)
+        </T>
+      =>
+        <T> initLoopRhs(
+              evaluate(void),
+              K,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?UserIdToRole1,
+              Quorum,
+              ActionState,
+              .Map,  // TODO: Variables,
+              Stack,
+              ExternalCallEnv,
+              add(PrevIndex, u(pListLen(Addresses))),
+              ?_Address1:Expression,
+              ?_UserId1:Usize)
+        </T>
+    requires
+        initLoopRequires(
+            PrevIndex,
+            Addresses,
+            UserIdToAddress0,
+            AddressToUserId0,
+            UserIdToRole0)
+        andBool noCommonItem(add(PrevIndex, u(2)), AddressToUserId0, Addresses)
+    ensures
+        initLoopEnsures(
+            add(add(PrevIndex, u(pListLen(Addresses))), u(1)),
+            Addresses,
+            ?UserIdToAddress1,
+            ?AddressToUserId1,
+            UserIdToRole0,
+            ?UserIdToRole1)
+
+  claim <T> initLoopLhs(
+              PrevIndex:Usize,
+              Addresses:ExpressionList,
+              K:K,
+              UserIdToAddress0:Map,
+              AddressToUserId0:Map,
+              UserIdToRole0:Map,
+              Quorum:Usize,
+              ActionState:ActionStateCell,
+              .Map,  // TODO: Variables:Map,
+              Stack:List,
+              ExternalCallEnv:ExternalCallEnvCell,
+              _Address0:Expression,
+              _UserId0:Usize)
+        </T>
+      =>
+        <T> initLoopRhs(
+              error,
+              K,
+              ?_UserIdToAddress1:Map,
+              ?_AddressToUserId1:Map,
+              ?_UserIdToRole1,
+              Quorum,
+              ActionState,
+              .Map,  // TODO: Variables,
+              Stack,
+              ExternalCallEnv,
+              add(PrevIndex, u(pListLen(Addresses))),
+              ?_Address1:Expression,
+              ?_UserId1:Usize)
+        </T>
+    requires
+        initLoopRequires(
+            PrevIndex,
+            Addresses,
+            UserIdToAddress0,
+            AddressToUserId0,
+            UserIdToRole0)
+        andBool notBool noCommonItem(add(PrevIndex, u(2)), AddressToUserId0, Addresses)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-init.k b/multisig/protocol-correctness/proof/invariant/proof-init.k
new file mode 100644
index 000000000..1d90e9945
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-init.k
@@ -0,0 +1,70 @@
+require "proof-init-loop.k"
+
+module PROOF-INIT
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+  imports TRUSTED-INIT-LOOP
+
+  rule forall-v-greater-or-equal-than-u-v-not-in-m(_:Usize, .Map, _:ExpressionList)
+      => true  [simplification]
+
+  claim call(listLen(L:ExpressionList)) => u(pListLen(L))
+    requires isKResult(L)
+    [trusted]
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run init(_Quorum:Usize, Addresses:ExpressionList);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          initialState
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers:Usize,
+              ?UserIdToAddress:Map,
+              ?AddressToUserId:Map,
+              ?NumBoardMembers:Usize,
+              ?NumProposers:Usize,
+              ?UserIdToRole:Map,
+              ?Quorum:Usize,
+              ?ActionLastIndex:Usize,
+              ?ActionData:Map,
+              ?ActionSigners:Map)
+        </TT></T>
+    requires    listElementsAreAddresses(Addresses)
+        //andBool noCommonItem(u(1), .Map, Addresses)
+
+        andBool isKResult(Addresses)
+        andBool noReusedIndexAddress(u(1), .Map, Addresses)
+        andBool noReusedIndexRole(u(1), .Map, Addresses)
+
+    ensures invariant(
+          ?NumUsers,
+          ?UserIdToAddress,
+          ?AddressToUserId,
+          ?NumBoardMembers,
+          ?NumProposers,
+          ?UserIdToRole,
+          ?Quorum,
+          ?ActionLastIndex,
+          ?ActionData,
+          ?ActionSigners,
+          usesExpanded)
+      orBool invariantState(
+                ?NumUsers:Usize,
+                ?UserIdToAddress:Map,
+                ?AddressToUserId:Map,
+                ?NumBoardMembers:Usize,
+                ?NumProposers:Usize,
+                ?UserIdToRole:Map,
+                ?Quorum:Usize,
+                ?ActionLastIndex:Usize,
+                ?ActionData:Map,
+                ?ActionSigners:Map)
+              ==K initialState
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-listlen.k b/multisig/protocol-correctness/proof/invariant/proof-listlen.k
new file mode 100644
index 000000000..b1d599187
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-listlen.k
@@ -0,0 +1,16 @@
+module PROOF-LISTLEN
+  imports PSEUDOCODE
+  imports INVARIANT-EXECUTION
+
+  claim <k> call(listLen([.])) => u(0) ... </k>
+        <last-instrumented> .K </last-instrumented>
+
+  claim <k> call(listLen([E:Expression , Es:ExpressionCSV])) => u(1 +Int pListLen([Es])) ... </k>
+        <last-instrumented> .K </last-instrumented>
+    requires isKResult(E) andBool isKResult(Es)
+
+  claim <k> call(listLen(L:ExpressionList)) => u(pListLen(L)) ... </k>
+        <last-instrumented> .K </last-instrumented>
+    requires isKResult(L)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
new file mode 100644
index 000000000..b96015082
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
@@ -0,0 +1,175 @@
+require "proof-count-can-sign.k"
+require "proof-perform-add-board-member.k"
+require "proof-perform-add-proposer-1.k"
+require "proof-perform-add-proposer-2.k"
+require "proof-perform-add-proposer-3.k"
+require "proof-perform-add-proposer-4.k"
+require "proof-perform-add-proposer-5.k"
+require "proof-perform-add-proposer-6.k"
+require "proof-perform-add-proposer-7.k"
+require "proof-perform-add-proposer-8.k"
+require "proof-perform-add-proposer-9.k"
+require "proof-perform-change-quorum.k"
+require "proof-perform-nothing.k"
+require "proof-perform-remove-user-1.k"
+require "proof-perform-remove-user-2.k"
+require "proof-perform-remove-user-3.k"
+require "proof-perform-remove-user-4.k"
+require "proof-perform-remove-user-5.k"
+require "proof-perform-remove-user-6.k"
+require "proof-perform-remove-user-7.k"
+require "proof-perform-remove-user-8.k"
+require "proof-perform-remove-user-9.k"
+require "proof-perform-remove-user-10.k"
+require "proof-perform-s-c-call.k"
+require "proof-perform-s-c-deploy.k"
+require "proof-perform-send-egld.k"
+
+module PROOF-PERFORM-ACTION-ENDPOINT
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  imports TRUSTED-COUNT-CAN-SIGN
+  imports TRUSTED-PERFORM-ADD-BOARD-MEMBER
+  imports TRUSTED-PERFORM-ADD-PROPOSER-1
+  imports TRUSTED-PERFORM-ADD-PROPOSER-2
+  imports TRUSTED-PERFORM-ADD-PROPOSER-3
+  imports TRUSTED-PERFORM-ADD-PROPOSER-4
+  imports TRUSTED-PERFORM-ADD-PROPOSER-5
+  imports TRUSTED-PERFORM-ADD-PROPOSER-6
+  imports TRUSTED-PERFORM-ADD-PROPOSER-7
+  imports TRUSTED-PERFORM-ADD-PROPOSER-8
+  imports TRUSTED-PERFORM-ADD-PROPOSER-9
+  imports TRUSTED-PERFORM-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-NOTHING
+  imports TRUSTED-PERFORM-REMOVE-USER-1
+  imports TRUSTED-PERFORM-REMOVE-USER-2
+  imports TRUSTED-PERFORM-REMOVE-USER-3
+  imports TRUSTED-PERFORM-REMOVE-USER-4
+  imports TRUSTED-PERFORM-REMOVE-USER-5
+  imports TRUSTED-PERFORM-REMOVE-USER-6
+  imports TRUSTED-PERFORM-REMOVE-USER-7
+  imports TRUSTED-PERFORM-REMOVE-USER-8
+  imports TRUSTED-PERFORM-REMOVE-USER-9
+  imports TRUSTED-PERFORM-REMOVE-USER-10
+  imports TRUSTED-PERFORM-S-C-CALL
+  imports TRUSTED-PERFORM-S-C-DEPLOY
+  imports TRUSTED-PERFORM-SEND-EGLD
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run performActionEndpoint(_ActionId:Usize);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserRoles1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        ?NumUsers1:Usize,
+        ?UserIdToAddress1:Map,
+        ?AddressToUserId1:Map,
+        ?NumBoardMembers1:Usize,
+        ?NumProposers1:Usize,
+        ?UserRoles1:Map,
+        ?Quorum1:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+
+/*
+  claim <T><TT>
+          <k> call(userRoleCanPropose(U:UserRole)) ~> K:K
+          </k>
+          State:StateCell
+        </TT></T>
+      =>
+        <T><TT>
+          <k> true ~> K </k>
+          State:StateCell
+        </TT></T>
+    requires notBool U ==K None
+
+  claim <T><TT>
+          <k> call(userRoleCanPropose(U:UserRole)) ~> K:K
+          </k>
+          State:StateCell
+        </TT></T>
+      =>
+        <T><TT>
+          <k> false ~> K </k>
+          State
+        </TT></T>
+    requires U ==K None
+*/
+
+  claim <T><TT>
+          <k> call(getActionSignerIds(ActionId:Usize)) ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map):StateCell
+        </TT></T>
+      =>
+        <T><TT>
+          <k> ActionSigners[ActionId] orDefault [.] ~> K </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map):StateCell
+        </TT></T>
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
new file mode 100644
index 000000000..d6ef2bf8f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
@@ -0,0 +1,155 @@
+require "proof-perform-add-board-member.k"
+require "proof-perform-add-proposer-1.k"
+require "proof-perform-add-proposer-2.k"
+require "proof-perform-add-proposer-3.k"
+require "proof-perform-add-proposer-4.k"
+require "proof-perform-add-proposer-5.k"
+require "proof-perform-add-proposer-6.k"
+require "proof-perform-add-proposer-7.k"
+require "proof-perform-add-proposer-8.k"
+require "proof-perform-add-proposer-9.k"
+require "proof-perform-change-quorum.k"
+require "proof-perform-nothing.k"
+require "proof-perform-remove-user-1.k"
+require "proof-perform-remove-user-2.k"
+require "proof-perform-remove-user-3.k"
+require "proof-perform-remove-user-4.k"
+require "proof-perform-remove-user-5.k"
+require "proof-perform-remove-user-6.k"
+require "proof-perform-remove-user-7.k"
+require "proof-perform-remove-user-8.k"
+require "proof-perform-remove-user-9.k"
+require "proof-perform-remove-user-10.k"
+require "proof-perform-s-c-call.k"
+require "proof-perform-s-c-deploy.k"
+require "proof-perform-send-egld.k"
+
+module PROOF-PERFORM-ACTION
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-ADD-BOARD-MEMBER
+  imports TRUSTED-PERFORM-ADD-PROPOSER-1
+  imports TRUSTED-PERFORM-ADD-PROPOSER-2
+  imports TRUSTED-PERFORM-ADD-PROPOSER-3
+  imports TRUSTED-PERFORM-ADD-PROPOSER-4
+  imports TRUSTED-PERFORM-ADD-PROPOSER-5
+  imports TRUSTED-PERFORM-ADD-PROPOSER-6
+  imports TRUSTED-PERFORM-ADD-PROPOSER-7
+  imports TRUSTED-PERFORM-ADD-PROPOSER-8
+  imports TRUSTED-PERFORM-ADD-PROPOSER-9
+  imports TRUSTED-PERFORM-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-NOTHING
+  imports TRUSTED-PERFORM-REMOVE-USER-1
+  imports TRUSTED-PERFORM-REMOVE-USER-2
+  imports TRUSTED-PERFORM-REMOVE-USER-3
+  imports TRUSTED-PERFORM-REMOVE-USER-4
+  imports TRUSTED-PERFORM-REMOVE-USER-5
+  imports TRUSTED-PERFORM-REMOVE-USER-6
+  imports TRUSTED-PERFORM-REMOVE-USER-7
+  imports TRUSTED-PERFORM-REMOVE-USER-8
+  imports TRUSTED-PERFORM-REMOVE-USER-9
+  imports TRUSTED-PERFORM-REMOVE-USER-10
+  imports TRUSTED-PERFORM-S-C-CALL
+  imports TRUSTED-PERFORM-S-C-DEPLOY
+  imports TRUSTED-PERFORM-SEND-EGLD
+
+  claim
+      <T><TT>
+        <k>
+          splitAction ( A:Action )
+          ~> splitting-action
+          ~> call ( performAction ( A ) )
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> clearExternalCallEnv
+          ~> runExternalCalls ( EC )
+        </k>
+        invariantStateStack(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            CallerAddress:Address,
+            ListItem(stackEntry(_:MultisigStateCell, _:Map))
+              ListItem(stackEntry(_:MultisigStateCell, _:Map))
+              ListItem(stackEntry(
+                invariantMultisigState(
+                    NumUsersS:Usize,
+                    UserIdToAddressS:Map,
+                    AddressToUserIdS:Map,
+                    NumBoardMembersS:Usize,
+                    NumProposersS:Usize,
+                    UserRolesS:Map,
+                    QuorumS:Usize,
+                    ActionLastIndexS:Usize,
+                    ActionDataS:Map,
+                    ActionSignersS:Map):MultisigStateCell,
+                .Map)))
+      </TT></T>
+    =>
+      <T><TT>
+        <k> runExternalCalls(EC) </k>
+        invariantStateStack(
+            ?NumUsers1:Usize,
+            ?UserIdToAddress1:Map,
+            ?AddressToUserId1:Map,
+            ?NumBoardMembers1:Usize,
+            ?NumProposers1:Usize,
+            ?UserRoles1:Map,
+            ?Quorum1:Usize,
+            ?ActionLastIndex1:Usize,
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            CallerAddress:Address,
+            .List):StateCell
+      </TT></T>
+    requires true
+      andBool invariant(
+          NumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          NumBoardMembers:Usize,
+          NumProposers:Usize,
+          UserRoles:Map,
+          Quorum:Usize,
+          ActionLastIndex0:Usize,
+          ActionData0:Map,
+          ActionSigners0:Map,
+          expand(expanded))
+      andBool invariant(
+          NumUsersS:Usize,
+          UserIdToAddressS:Map,
+          AddressToUserIdS:Map,
+          NumBoardMembersS:Usize,
+          NumProposersS:Usize,
+          UserRolesS:Map,
+          QuorumS:Usize,
+          ActionLastIndexS:Usize,
+          ActionDataS:Map,
+          ActionSignersS:Map,
+          expanded)
+      andBool isKResult(A)
+    ensures true
+      andBool invariant(
+          ?NumUsers1:Usize,
+          ?UserIdToAddress1:Map,
+          ?AddressToUserId1:Map,
+          ?NumBoardMembers1:Usize,
+          ?NumProposers1:Usize,
+          ?UserRoles1:Map,
+          ?Quorum1:Usize,
+          ?ActionLastIndex1:Usize,
+          ?ActionData1:Map,
+          ?ActionSigners1:Map,
+          usesExpanded)
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
new file mode 100644
index 000000000..c3a09d302
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
@@ -0,0 +1,110 @@
+module TRUSTED-PERFORM-ADD-BOARD-MEMBER
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddBoardMember(_BoardMemberAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-BOARD-MEMBER
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddBoardMember(_BoardMemberAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
new file mode 100644
index 000000000..b7ed250c7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
@@ -0,0 +1,108 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-1
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            u(?_NumUsersFinal:Int),
+            ?_UserIdToAddressFinal:Map,
+            ?_AddressToUserIdFinal:Map,
+            u(?_NumBoardMembersFinal:Int),
+            u(?_NumProposersFinal:Int),
+            ?_UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool Quorum ==K NumBoardMembers
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-1
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            u(?_NumUsersFinal:Int),
+            ?_UserIdToAddressFinal:Map,
+            ?_AddressToUserIdFinal:Map,
+            u(?_NumBoardMembersFinal:Int),
+            u(?_NumProposersFinal:Int),
+            ?_UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool Quorum ==K NumBoardMembers
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
new file mode 100644
index 000000000..ccc342cee
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
@@ -0,0 +1,102 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-2
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            u(?_NumUsersFinal:Int),
+            ?_UserIdToAddressFinal:Map,
+            ?_AddressToUserIdFinal:Map,
+            u(?_NumBoardMembersFinal:Int),
+            u(?_NumProposersFinal:Int),
+            ?_UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool Quorum ==K NumBoardMembers
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-2
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            u(?_NumUsersFinal:Int),
+            ?_UserIdToAddressFinal:Map,
+            ?_AddressToUserIdFinal:Map,
+            u(?_NumBoardMembersFinal:Int),
+            u(?_NumProposersFinal:Int),
+            ?_UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool Quorum ==K NumBoardMembers
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
new file mode 100644
index 000000000..63c63c6b6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -0,0 +1,124 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-3
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (Quorum ==K NumBoardMembers)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-3
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (Quorum ==K NumBoardMembers)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
new file mode 100644
index 000000000..c3f917bdd
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
@@ -0,0 +1,118 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-4
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (Quorum ==K NumBoardMembers)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-4
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (Quorum ==K NumBoardMembers)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
new file mode 100644
index 000000000..109492b06
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -0,0 +1,124 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-5
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (ProposerRole ==K BoardMember)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-5
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (ProposerRole ==K BoardMember)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
new file mode 100644
index 000000000..30347cd63
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
@@ -0,0 +1,118 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-6
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerRole ==K BoardMember)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-6
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerRole ==K BoardMember)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
new file mode 100644
index 000000000..a3fc8e34f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -0,0 +1,123 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-7
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (ProposerId in_keys(UserIdToRole))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-7
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                ProposerAddress |-> ProposerId:Usize
+                CallerAddress |-> _:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress ==K CallerAddress)
+        andBool notBool (ProposerId in_keys(UserIdToRole))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
new file mode 100644
index 000000000..a7dca9bea
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
@@ -0,0 +1,118 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-8
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerId in_keys(UserIdToRole))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-8
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(CallerAddress) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                CallerAddress |-> ProposerId:Usize
+                _:Map
+            ) #as AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerId in_keys(UserIdToRole))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
new file mode 100644
index 000000000..92ad8cbec
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
@@ -0,0 +1,112 @@
+module TRUSTED-PERFORM-ADD-PROPOSER-9
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress in_keys(AddressToUserId))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-ADD-PROPOSER-9
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            AddProposer(ProposerAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (ProposerAddress in_keys(AddressToUserId))
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
new file mode 100644
index 000000000..cd7c98f5f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
@@ -0,0 +1,217 @@
+module TRUSTED-PERFORM-CHANGE-QUORUM
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            OldQuorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            u(NewQuorum),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+        andBool NewQuorum <=Int NumBoardMembers
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            u(NewQuorum))
+    [trusted]
+
+  claim
+      <T>
+        performLhs(
+            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            OldQuorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+        andBool NewQuorum >Int NumBoardMembers
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-CHANGE-QUORUM
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            OldQuorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            u(NewQuorum),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+        andBool NewQuorum <=Int NumBoardMembers
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            u(NewQuorum))
+
+  claim
+      <T>
+        performLhs(
+            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            OldQuorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+        andBool NewQuorum >Int NumBoardMembers
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            NumProposers,
+            UserIdToRole,
+            OldQuorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
new file mode 100644
index 000000000..613e06ffc
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
@@ -0,0 +1,110 @@
+module TRUSTED-PERFORM-NOTHING
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            Nothing #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-NOTHING
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            Nothing #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
new file mode 100644
index 000000000..60d3dc047
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -0,0 +1,126 @@
+module TRUSTED-PERFORM-REMOVE-USER-1
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-1
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
new file mode 100644
index 000000000..b9af293ad
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -0,0 +1,112 @@
+module TRUSTED-PERFORM-REMOVE-USER-10
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (UserAddress in_keys(AddressToUserId))
+    ensures performEnsures(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-10
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            ?NumUsers:Usize,
+            ?UserIdToAddress:Map,
+            ?AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (UserAddress in_keys(AddressToUserId))
+    ensures performEnsures(
+            ?NumUsers,
+            ?UserIdToAddress,
+            ?AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
new file mode 100644
index 000000000..c17b678f9
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
@@ -0,0 +1,122 @@
+module TRUSTED-PERFORM-REMOVE-USER-2
+  imports INVARIANT-EXECUTION
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-2
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
new file mode 100644
index 000000000..514db9ec3
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
@@ -0,0 +1,114 @@
+module TRUSTED-PERFORM-REMOVE-USER-3
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsersFinal,
+            ?_UserIdToAddressFinal,
+            ?_AddressToUserIdFinal,
+            ?_NumBoardMembersFinal,
+            ?_NumProposersFinal,
+            ?_UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool
+            ((Quorum <=Int NumBoardMembers -Int 1)
+            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+            )
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-3
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsersFinal,
+            ?_UserIdToAddressFinal,
+            ?_AddressToUserIdFinal,
+            ?_NumBoardMembersFinal,
+            ?_NumProposersFinal,
+            ?_UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool
+            ((Quorum <=Int NumBoardMembers -Int 1)
+            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+            )
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
new file mode 100644
index 000000000..91af743c7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
@@ -0,0 +1,110 @@
+module TRUSTED-PERFORM-REMOVE-USER-4
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsersFinal,
+            ?_UserIdToAddressFinal,
+            ?_AddressToUserIdFinal,
+            ?_NumBoardMembersFinal,
+            ?_NumProposersFinal,
+            ?_UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool
+            ((Quorum <=Int NumBoardMembers -Int 1)
+            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+            )
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-4
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsersFinal,
+            ?_UserIdToAddressFinal,
+            ?_AddressToUserIdFinal,
+            ?_NumBoardMembersFinal,
+            ?_NumProposersFinal,
+            ?_UserIdToRoleFinal,
+            u(Quorum),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool
+            ((Quorum <=Int NumBoardMembers -Int 1)
+            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
+            )
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
new file mode 100644
index 000000000..7232cca7d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -0,0 +1,128 @@
+module TRUSTED-PERFORM-REMOVE-USER-5
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool Quorum <=Int NumBoardMembers
+        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+    [trusted]
+
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-5
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool Quorum <=Int NumBoardMembers
+        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
new file mode 100644
index 000000000..19b6a16be
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
@@ -0,0 +1,124 @@
+module TRUSTED-PERFORM-REMOVE-USER-6
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool Quorum <=Int NumBoardMembers
+        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-6
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            UserIdToRoleFinal,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool Quorum <=Int NumBoardMembers
+        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            UserIdToRoleFinal,
+            u(Quorum))
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
new file mode 100644
index 000000000..98a7aa10a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
@@ -0,0 +1,112 @@
+module TRUSTED-PERFORM-REMOVE-USER-7
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsers,
+            ?_UserIdToAddress,
+            ?_AddressToUserId,
+            ?_NumBoardMembers,
+            ?_NumProposers,
+            ?_UserIdToRole,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool notBool (
+            Quorum <=Int NumBoardMembers
+            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-7
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                CallerAddress |-> _:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsers,
+            ?_UserIdToAddress,
+            ?_AddressToUserId,
+            ?_NumBoardMembers,
+            ?_NumProposers,
+            ?_UserIdToRole,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool notBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool notBool (
+            Quorum <=Int NumBoardMembers
+            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k
new file mode 100644
index 000000000..7850f6dfc
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k
@@ -0,0 +1,110 @@
+module TRUSTED-PERFORM-REMOVE-USER-8
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsers,
+            ?_UserIdToAddress,
+            ?_AddressToUserId,
+            ?_NumBoardMembers,
+            ?_NumProposers,
+            ?_UserIdToRole,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool notBool (
+            Quorum <=Int NumBoardMembers
+            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-8
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            (
+                UserAddress |-> UserId:Usize
+                _AddressToUserId:Map
+            ) #as AddressToUserId:Map,
+            u(NumBoardMembers:Int),
+            u(NumProposers:Int),
+            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
+            u(Quorum:Int),
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            error,
+            K,
+            ?_NumUsers,
+            ?_UserIdToAddress,
+            ?_AddressToUserId,
+            ?_NumBoardMembers,
+            ?_NumProposers,
+            ?_UserIdToRole,
+            u(Quorum:Int),
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            u(NumBoardMembers),
+            u(NumProposers),
+            UserIdToRole,
+            u(Quorum))
+        andBool (UserAddress ==K CallerAddress)
+        andBool notBool (UserRole ==K BoardMember)
+        andBool notBool (
+            Quorum <=Int NumBoardMembers
+            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
new file mode 100644
index 000000000..58ab24bae
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -0,0 +1,116 @@
+module TRUSTED-PERFORM-REMOVE-USER-9
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (UserId in_keys(UserIdToRole))
+        andBool UserAddress in_keys(AddressToUserId)
+        andBool AddressToUserId ==K (UserAddress |-> UserId:KItem _AddressToUserId:Map)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-REMOVE-USER-9
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            RemoveUser(UserAddress:Address) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            u(?NumUsersFinal:Int),
+            ?UserIdToAddressFinal:Map,
+            ?AddressToUserIdFinal:Map,
+            u(?NumBoardMembersFinal:Int),
+            u(?NumProposersFinal:Int),
+            ?UserIdToRoleFinal:Map,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+        andBool notBool (UserId in_keys(UserIdToRole))
+        andBool UserAddress in_keys(AddressToUserId)
+        andBool AddressToUserId ==K (UserAddress |-> UserId:KItem _AddressToUserId:Map)
+    ensures performEnsures(
+            u(?NumUsersFinal),
+            ?UserIdToAddressFinal,
+            ?AddressToUserIdFinal,
+            u(?NumBoardMembersFinal),
+            u(?NumProposersFinal),
+            ?UserIdToRoleFinal,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
new file mode 100644
index 000000000..ada1e0f64
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
@@ -0,0 +1,102 @@
+module TRUSTED-PERFORM-S-C-CALL
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SCCall(
+                _To:Address,
+                _Amount:BigUint,
+                _Function:BoxedBytes,
+                _Arguments:ExpressionList) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-S-C-CALL
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SCCall(
+                _To:Address,
+                _Amount:BigUint,
+                _Function:BoxedBytes,
+                _Arguments:ExpressionList) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
new file mode 100644
index 000000000..72abceb2a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
@@ -0,0 +1,102 @@
+module TRUSTED-PERFORM-S-C-DEPLOY
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SCDeploy(
+                _Amount:BigUint,
+                _Code:BoxedBytes,
+                _CodeMetadata:CodeMetadata,
+                _Arguments:ExpressionList) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-S-C-DEPLOY
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SCDeploy(
+                _Amount:BigUint,
+                _Code:BoxedBytes,
+                _CodeMetadata:CodeMetadata,
+                _Arguments:ExpressionList) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
new file mode 100644
index 000000000..aad935b68
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
@@ -0,0 +1,94 @@
+module TRUSTED-PERFORM-SEND-EGLD
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SendEgld(_To:Address, _Amount:BigUint, _Data:BoxedBytes) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+    [trusted]
+endmodule
+
+module PROOF-PERFORM-SEND-EGLD
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T>
+        performLhs(
+            SendEgld(_To:Address, _Amount:BigUint, _Data:BoxedBytes) #as Action:Action,
+            K:K,
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserIdToRole:Map,
+            Quorum:Usize,
+            ActionState:ActionStateCell,
+            .List, // TODO: Stack:List,
+            CallerAddress:Address)
+      </T>
+      =>
+      <T>
+        performRhs(
+            evaluate(void),
+            K,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum,
+            ActionState,
+            ?_Variables:Map,
+            .List, // TODO: Stack:List,
+            CallerAddress)
+      </T>
+    requires performRequires(
+            Action,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            Quorum)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
new file mode 100644
index 000000000..e13da234f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
@@ -0,0 +1,63 @@
+module PROOF-PROPOSE-ADD-BOARD-MEMBER
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeAddBoardMember(_Member:Address);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expand(expanded)))
+    ensures true /*invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)*/
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
new file mode 100644
index 000000000..f64e49935
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
@@ -0,0 +1,63 @@
+module PROOF-PROPOSE-ADD-PROPOSER
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeAddProposer(_Member:Address);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
new file mode 100644
index 000000000..d5a147c4b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
@@ -0,0 +1,63 @@
+module PROOF-PROPOSE-CHANGE-QUORUM
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeChangeQuorum(_Quorum:Usize);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
new file mode 100644
index 000000000..f73c11513
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
@@ -0,0 +1,63 @@
+module PROOF-PROPOSE-REMOVE-USER
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeRemoveUser(_Member:Address);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
new file mode 100644
index 000000000..a0695f574
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
@@ -0,0 +1,68 @@
+module PROOF-PROPOSE-SC-CALL
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeSCCall(
+                                _To:Address,
+                                _Amount:BigUint,
+                                _Function:BoxedBytes,
+                                Args:ExpressionList);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            expand(expanded))
+        andBool isKResult(Args)
+    ensures invariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ?ActionLastIndex1:Usize,
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
new file mode 100644
index 000000000..2a758e215
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
@@ -0,0 +1,70 @@
+module PROOF-PROPOSE-SC-DEPLOY
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeSCDeploy(
+                                _Amount:BigUint,
+                                _Code:BoxedBytes,
+                                _Upgradeable:Bool,
+                                _Payable:Bool,
+                                _Readable:Bool,
+                                Args:ExpressionList);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            expand(expanded))
+        andBool isKResult(Args)
+    ensures invariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ?ActionLastIndex1:Usize,
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
new file mode 100644
index 000000000..f500f99af
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
@@ -0,0 +1,63 @@
+module PROOF-PROPOSE-SEND-EGLD
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run proposeSendEgld(_To:Address, _Amount:BigUint);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-sign.k b/multisig/protocol-correctness/proof/invariant/proof-sign.k
new file mode 100644
index 000000000..b757b0275
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-sign.k
@@ -0,0 +1,63 @@
+module PROOF-SIGN
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run sign(_ActionId:Usize);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-unsign.k b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
new file mode 100644
index 000000000..394a7c442
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
@@ -0,0 +1,63 @@
+module PROOF-UNSIGN
+  imports INVARIANT-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCalls(
+                  (   from _:Address run unsign(ActionId:Usize);
+                      EC:ExternalCommands
+                  )
+              )
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map):StateCell
+        </TT></T>
+    requires invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ActionLastIndex0:Usize,
+        ActionData0:Map,
+        ActionSigners0:Map,
+        expand(expanded))
+    ensures invariant(
+        NumUsers:Usize,
+        UserIdToAddress:Map,
+        AddressToUserId:Map,
+        NumBoardMembers:Usize,
+        NumProposers:Usize,
+        UserRoles:Map,
+        Quorum:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/proof-dependency.mak b/multisig/protocol-correctness/proof/proof-dependency.mak
new file mode 100644
index 000000000..0b8e68898
--- /dev/null
+++ b/multisig/protocol-correctness/proof/proof-dependency.mak
@@ -0,0 +1,7 @@
+SEMANTICS_DIR = $(PROOF_DIR)/..
+
+SEMANTICS_K := $(wildcard $(SEMANTICS_DIR)/*.k)
+
+PROOF_ALL := $(wildcard $(PROOF_DIR)/*.k)
+PROOF_PROOFS := $(wildcard $(PROOF_DIR)/proof-*.k)
+PROOF_EXECUTION := $(filter-out $(PROOF_PROOFS), $(PROOF_ALL)) $(SEMANTICS_K)
diff --git a/multisig/protocol-correctness/proof/settings.mak b/multisig/protocol-correctness/proof/settings.mak
new file mode 100644
index 000000000..9ba6eb94f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/settings.mak
@@ -0,0 +1,5 @@
+SHELL?=/bin/bash -euo pipefail
+
+BACKEND_COMMAND ?= "kore-exec --smt-timeout 200"
+DEBUG_COMMAND ?= "kore-repl --smt-timeout 200 --repl-script /home/virgil/runtime-verification/k/haskell-backend/src/main/native/haskell-backend/kore/data/kast.kscript"
+DIR_GUARD ?= @mkdir -p $(@D)

From e7558978ba6daf7d066baed4f4da1ab05cccd9ce Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 11:08:11 +0300
Subject: [PATCH 04/37] Optimize perform

---
 .../proof/execution-proof.k                   |  28 ++++
 .../proof/invariant/invariant-execution.k     |  75 ++++-----
 .../proof/invariant/perform-parts.k           |  75 ++++++++-
 .../invariant/proof-perform-action-endpoint.k |  78 +--------
 .../proof/invariant/proof-perform-action.k    | 155 ++++++++++++++----
 .../invariant/proof-perform-add-proposer-1.k  |   4 -
 .../invariant/proof-perform-add-proposer-2.k  | 102 ------------
 .../invariant/proof-perform-add-proposer-3.k  |   4 -
 .../invariant/proof-perform-add-proposer-4.k  | 118 -------------
 .../invariant/proof-perform-add-proposer-5.k  |   4 -
 .../invariant/proof-perform-add-proposer-6.k  | 118 -------------
 .../invariant/proof-perform-add-proposer-7.k  |   4 -
 .../invariant/proof-perform-remove-user-1.k   |  14 +-
 .../invariant/proof-perform-remove-user-10.k  |  10 +-
 .../invariant/proof-perform-remove-user-2.k   | 122 --------------
 .../invariant/proof-perform-remove-user-3.k   |   9 +-
 .../invariant/proof-perform-remove-user-4.k   | 110 -------------
 .../invariant/proof-perform-remove-user-5.k   |  12 +-
 .../invariant/proof-perform-remove-user-6.k   | 124 --------------
 .../invariant/proof-perform-remove-user-7.k   |   9 +-
 .../invariant/proof-perform-remove-user-8.k   | 110 -------------
 .../invariant/proof-perform-remove-user-9.k   |  10 +-
 22 files changed, 281 insertions(+), 1014 deletions(-)
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k

diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 3f8287581..8f5862e5c 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -284,7 +284,13 @@ module EXECUTION-PROOF-HELPERS
         andBool notBool u(LastIndex +Int 1) in_keys(M)
         andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
       )
+    [simplification]
 
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, keysMap(M):Map, usesExpanded)
+    => true
+    requires true
+        andBool notBool u(LastIndex +Int 1) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 2, keysMap(M), expanded)
     [simplification]
 
   /*
@@ -372,6 +378,9 @@ module EXECUTION-PROOF-HELPERS
 
   rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
 
+  rule countMapValues(_, _) +Int X:Int <=Int 0 => false
+    requires X >Int 0
+    [simplification]
   // TODO: Replace these with generic int rules.
   rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
     [simplification]
@@ -418,10 +427,29 @@ module EXECUTION-PROOF-HELPERS
   rule countCanSignFunction([_:Expression, Es:ExpressionCSV], M)
       => countCanSignFunction([Es], M)
     [owise]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
+      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires canSignFunction(Role)
+    [simplification]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
+      => countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires notBool canSignFunction(Role)
+    [simplification]
+  rule countCanSignFunction(Es:ExpressionList, UserId |-> _:UserRole M:Map)
+      => countCanSignFunction(Es, M)
+    requires notBool #listContains(Es, UserId)
+    [simplification]
+  rule countCanSignFunction(Es:ExpressionList, concat(UserId, _:UserRole, M:Map))
+      => countCanSignFunction(Es, M)
+    requires notBool #listContains(Es, UserId)
+    [simplification]
 
   rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], concat(UserId1:KItem, Role:UserRole, M:Map))
     => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
     [simplification]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], concat(UserId1:KItem, Role:UserRole, M:Map))
+    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
+    [simplification]
   rule #countCanSignFunction(UserId:Usize, Es:ExpressionList, M:Map, Value:UserRole)
       => 1 +Int countCanSignFunction(Es, M[UserId <- undef])
     requires canSignFunction(Value)
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 2f10c7cb1..3c4f8b1df 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -106,48 +106,43 @@ module INVARIANT-INSTRUMENTATION
           _Arguments:ExpressionList))
       => .K
 
-  syntax KItem ::= "splitting-delete-caller"
-  rule  <k> (
-              splitting-action
-              =>  splitEquality(A1, A2)  // TODO: remove
-                  ~> splitBoolean(A1 in_keys(AddressToUserId))
-                  ~> splitting-delete-caller
-            )
-            ~> call(performAction(RemoveUser(A1:Address)))
-        ...</k>
-        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-        <caller-address>A2:KItem</caller-address>
+  syntax KItem ::= splittingDeleteCaller(Address)
+  syntax KItem ::= splittingDeleteCaller1(Address)
+  syntax KItem ::= splittingDeleteCaller2(Usize)
+  rule  (splitting-action => splittingDeleteCaller(A))
+        ~> call(performAction(RemoveUser(A:Address)))
     [priority(10)]
-  rule  <k> (splitting-delete-caller => .K) ...</k>
-    [priority(20)]
 
-  syntax KItem ::= "splitting-delete-address-to-user-id"
+  rule  <k> splittingDeleteCaller(A:Address)
+            =>    splitBoolean(A in_keys(AddressToUserId))
+              ~>  branchK(
+                    A in_keys(AddressToUserId),
+                    splittingDeleteCaller1(A),
+                    .K
+                  )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
   rule  <k> (
-              splitting-delete-caller
+              splittingDeleteCaller1(A:Address)
               => splitMap(
                   A, AddressToUserId,
                   ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
                 ~> cast(AddressToUserId[A], rUsize)
                 ~> removeValue
-                ~> splitting-delete-address-to-user-id
+                ~> splitBoolean(AddressToUserId[A] in_keys(UserIdToRole))
+                ~> branchK(
+                      AddressToUserId[A] in_keys(UserIdToRole),
+                      splittingDeleteCaller2({AddressToUserId[A]}:>Usize),
+                      .K
+                )
             )
-            ~> call(performAction(RemoveUser(A:Address)))
         ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
     requires A in_keys(AddressToUserId)
-    [priority(10)]
-  rule  <k> (splitting-delete-caller => .K)
-            ~> call(performAction(RemoveUser(A:Address)))
-        ...</k>
-        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-    requires notBool (A in_keys(AddressToUserId))
-    [priority(10)]
-  rule  <k> (splitting-delete-address-to-user-id => .K) ...</k>
-    [priority(20)]
 
-  syntax KItem ::= "splitting-user-id-to-role"
   rule  <k> (
-              splitting-delete-address-to-user-id
+              splittingDeleteCaller2(UserId:Usize)
               => splitMap(
                   UserId, UserIdToRole,
                   ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
@@ -155,29 +150,19 @@ module INVARIANT-INSTRUMENTATION
                 ~> removeValue
                 ~> lazyConcretizeKeys(UserIdToRole)
                 ~> splitBoolean(UserIdToRole[UserId] ==K BoardMember)
-                ~> splitBoolean(Quorum <=Int NumBoardMembers -Int 1)
-                ~> splitBoolean(Quorum <=Int NumBoardMembers)
+                ~> branchK(
+                      UserIdToRole[UserId] ==K BoardMember,
+                      splitBoolean(Quorum <=Int NumBoardMembers -Int 1),
+                      splitBoolean(Quorum <=Int NumBoardMembers)
+                  )
                 ~> splitBoolean(NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-                ~> splitting-user-id-to-role
             )
-            ~> call(performAction(RemoveUser(A:Address)))
         ...</k>
-        <address-to-user-id> A |-> UserId:KItem _AddressToUserId:Map</address-to-user-id>
         <user-roles>UserIdToRole:Map</user-roles>
         <num-board-members>u(NumBoardMembers:Int)</num-board-members>
         <num-proposers>u(NumProposers:Int)</num-proposers>
         <quorum>u(Quorum:Int)</quorum>
     requires UserId in_keys(UserIdToRole)
-    [priority(10)]
-  rule  <k> (splitting-delete-address-to-user-id => .K)
-            ~> call(performAction(RemoveUser(A:Address)))
-        ...</k>
-        <address-to-user-id> A |-> UserId:KItem _AddressToUserId:Map</address-to-user-id>
-        <user-roles>UserIdToRole:Map</user-roles>
-    requires notBool (UserId in_keys(UserIdToRole))
-    [priority(10)]
-  rule  <k> (splitting-user-id-to-role => .K) ...</k>
-    [priority(20)]
 
   syntax KItem ::= concretizeValue(KItem)
   rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
@@ -212,8 +197,7 @@ module INVARIANT-INSTRUMENTATION
   syntax KItem ::= "splitting-add-proposer-in-keys-atuid"
   rule  <k> (
               splitting-action
-              =>   splitEquality(A1, A2)
-                ~> splitBoolean(A1 in_keys(AddressToUserId))
+              =>   splitBoolean(A1 in_keys(AddressToUserId))
                 ~> branchK(
                     A1 in_keys(AddressToUserId),
                     lazySplitMap(
@@ -238,7 +222,6 @@ module INVARIANT-INSTRUMENTATION
         ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
         <user-roles> UserIdToRole:Map </user-roles>
-        <caller-address>A2:KItem</caller-address>
     [priority(10)]
   rule  splitting-add-proposer-in-keys-atuid => .K
     [priority(20)]
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index b3b4db662..63556ee24 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -14,6 +14,17 @@ module PERFORM-PARTS
       userIdToRole:Map,
       quorum:Usize)
     [function, functional]
+  syntax Bool ::= performRequiresHandling(
+      action:Action,
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      handling:PropertyHandling)
+    [function, functional]
   syntax Bool ::= performEnsures(
       numUsers:Usize,
       userIdToAddress:Map,
@@ -23,6 +34,16 @@ module PERFORM-PARTS
       userIdToRole:Map,
       quorum:Usize)
     [function, functional]
+  syntax Bool ::= performEnsuresHandling(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      handling:PropertyHandling)
+    [function, functional]
   syntax Bool ::= performInvariant(
       numUsers:Usize,
       userIdToAddress:Map,
@@ -72,9 +93,19 @@ module PERFORM-PARTS
           u(NumProposers:Int),
           UserIdToRole:Map,
           u(Quorum:Int))
-    => true
-      andBool isKResult(Action)
-      andBool performInvariant(
+    => performRequiresHandling(
+          Action,
+          UNumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          u(NumBoardMembers),
+          u(NumProposers),
+          UserIdToRole,
+          u(Quorum),
+          expand(expanded))
+
+  rule performRequiresHandling(
+          Action:Action,
           UNumUsers:Usize,
           UserIdToAddress:Map,
           AddressToUserId:Map,
@@ -82,7 +113,18 @@ module PERFORM-PARTS
           u(NumProposers:Int),
           UserIdToRole:Map,
           u(Quorum:Int),
-          expand(expanded))
+          Handling:PropertyHandling)
+    => true
+      andBool isKResult(Action)
+      andBool performInvariant(
+          UNumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          u(NumBoardMembers),
+          u(NumProposers),
+          UserIdToRole,
+          u(Quorum),
+          Handling)
 
   rule performEnsures(
           UNumUsers:Usize,
@@ -92,8 +134,17 @@ module PERFORM-PARTS
           u(NumProposers:Int),
           UserIdToRole:Map,
           u(Quorum:Int))
-    => true
-      andBool performInvariant(
+    => performEnsuresHandling(
+          UNumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          u(NumBoardMembers),
+          u(NumProposers),
+          UserIdToRole,
+          u(Quorum),
+          usesExpanded)
+
+  rule performEnsuresHandling(
           UNumUsers:Usize,
           UserIdToAddress:Map,
           AddressToUserId:Map,
@@ -101,7 +152,17 @@ module PERFORM-PARTS
           u(NumProposers:Int),
           UserIdToRole:Map,
           u(Quorum:Int),
-          usesExpanded)
+          Handling:PropertyHandling)
+    => true
+      andBool performInvariant(
+          UNumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          u(NumBoardMembers),
+          u(NumProposers),
+          UserIdToRole,
+          u(Quorum),
+          Handling)
 
   // TODO: Use the main invariant.
   rule performInvariant(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
index b96015082..6b2fb9373 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
@@ -1,60 +1,12 @@
 require "proof-count-can-sign.k"
-require "proof-perform-add-board-member.k"
-require "proof-perform-add-proposer-1.k"
-require "proof-perform-add-proposer-2.k"
-require "proof-perform-add-proposer-3.k"
-require "proof-perform-add-proposer-4.k"
-require "proof-perform-add-proposer-5.k"
-require "proof-perform-add-proposer-6.k"
-require "proof-perform-add-proposer-7.k"
-require "proof-perform-add-proposer-8.k"
-require "proof-perform-add-proposer-9.k"
-require "proof-perform-change-quorum.k"
-require "proof-perform-nothing.k"
-require "proof-perform-remove-user-1.k"
-require "proof-perform-remove-user-2.k"
-require "proof-perform-remove-user-3.k"
-require "proof-perform-remove-user-4.k"
-require "proof-perform-remove-user-5.k"
-require "proof-perform-remove-user-6.k"
-require "proof-perform-remove-user-7.k"
-require "proof-perform-remove-user-8.k"
-require "proof-perform-remove-user-9.k"
-require "proof-perform-remove-user-10.k"
-require "proof-perform-s-c-call.k"
-require "proof-perform-s-c-deploy.k"
-require "proof-perform-send-egld.k"
+require "proof-perform-action.k"
 
 module PROOF-PERFORM-ACTION-ENDPOINT
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
   imports TRUSTED-COUNT-CAN-SIGN
-  imports TRUSTED-PERFORM-ADD-BOARD-MEMBER
-  imports TRUSTED-PERFORM-ADD-PROPOSER-1
-  imports TRUSTED-PERFORM-ADD-PROPOSER-2
-  imports TRUSTED-PERFORM-ADD-PROPOSER-3
-  imports TRUSTED-PERFORM-ADD-PROPOSER-4
-  imports TRUSTED-PERFORM-ADD-PROPOSER-5
-  imports TRUSTED-PERFORM-ADD-PROPOSER-6
-  imports TRUSTED-PERFORM-ADD-PROPOSER-7
-  imports TRUSTED-PERFORM-ADD-PROPOSER-8
-  imports TRUSTED-PERFORM-ADD-PROPOSER-9
-  imports TRUSTED-PERFORM-CHANGE-QUORUM
-  imports TRUSTED-PERFORM-NOTHING
-  imports TRUSTED-PERFORM-REMOVE-USER-1
-  imports TRUSTED-PERFORM-REMOVE-USER-2
-  imports TRUSTED-PERFORM-REMOVE-USER-3
-  imports TRUSTED-PERFORM-REMOVE-USER-4
-  imports TRUSTED-PERFORM-REMOVE-USER-5
-  imports TRUSTED-PERFORM-REMOVE-USER-6
-  imports TRUSTED-PERFORM-REMOVE-USER-7
-  imports TRUSTED-PERFORM-REMOVE-USER-8
-  imports TRUSTED-PERFORM-REMOVE-USER-9
-  imports TRUSTED-PERFORM-REMOVE-USER-10
-  imports TRUSTED-PERFORM-S-C-CALL
-  imports TRUSTED-PERFORM-S-C-DEPLOY
-  imports TRUSTED-PERFORM-SEND-EGLD
+  imports TRUSTED-PERFORM-ACTION
 
   claim <T><TT>
           <k> runExternalCalls(
@@ -115,32 +67,6 @@ module PROOF-PERFORM-ACTION-ENDPOINT
         ?ActionSigners1:Map,
         usesExpanded)
 
-/*
-  claim <T><TT>
-          <k> call(userRoleCanPropose(U:UserRole)) ~> K:K
-          </k>
-          State:StateCell
-        </TT></T>
-      =>
-        <T><TT>
-          <k> true ~> K </k>
-          State:StateCell
-        </TT></T>
-    requires notBool U ==K None
-
-  claim <T><TT>
-          <k> call(userRoleCanPropose(U:UserRole)) ~> K:K
-          </k>
-          State:StateCell
-        </TT></T>
-      =>
-        <T><TT>
-          <k> false ~> K </k>
-          State
-        </TT></T>
-    requires U ==K None
-*/
-
   claim <T><TT>
           <k> call(getActionSignerIds(ActionId:Usize)) ~> K:K
           </k>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
index d6ef2bf8f..cffdbc5a5 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
@@ -1,52 +1,144 @@
 require "proof-perform-add-board-member.k"
 require "proof-perform-add-proposer-1.k"
-require "proof-perform-add-proposer-2.k"
 require "proof-perform-add-proposer-3.k"
-require "proof-perform-add-proposer-4.k"
 require "proof-perform-add-proposer-5.k"
-require "proof-perform-add-proposer-6.k"
 require "proof-perform-add-proposer-7.k"
 require "proof-perform-add-proposer-8.k"
 require "proof-perform-add-proposer-9.k"
 require "proof-perform-change-quorum.k"
 require "proof-perform-nothing.k"
 require "proof-perform-remove-user-1.k"
-require "proof-perform-remove-user-2.k"
 require "proof-perform-remove-user-3.k"
-require "proof-perform-remove-user-4.k"
 require "proof-perform-remove-user-5.k"
-require "proof-perform-remove-user-6.k"
 require "proof-perform-remove-user-7.k"
-require "proof-perform-remove-user-8.k"
 require "proof-perform-remove-user-9.k"
 require "proof-perform-remove-user-10.k"
 require "proof-perform-s-c-call.k"
 require "proof-perform-s-c-deploy.k"
 require "proof-perform-send-egld.k"
 
+module TRUSTED-PERFORM-ACTION
+  imports INVARIANT-EXECUTION
+
+  claim
+      <T><TT>
+        <k>
+          splitAction ( A:Action )
+          ~> splitting-action
+          ~> call ( performAction ( A ) )
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> popContext
+          ~> evaluateReturnValue
+          ~> clearExternalCallEnv
+          ~> runExternalCalls ( EC )
+        </k>
+        invariantStateStack(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            CallerAddress:Address,
+            ListItem(stackEntry(_:MultisigStateCell, _:Map))
+              ListItem(stackEntry(_:MultisigStateCell, _:Map))
+              ListItem(stackEntry(
+                invariantMultisigState(
+                    NumUsersS:Usize,
+                    UserIdToAddressS:Map,
+                    AddressToUserIdS:Map,
+                    NumBoardMembersS:Usize,
+                    NumProposersS:Usize,
+                    UserRolesS:Map,
+                    QuorumS:Usize,
+                    ActionLastIndexS:Usize,
+                    ActionDataS:Map,
+                    ActionSignersS:Map):MultisigStateCell,
+                .Map)))
+      </TT></T>
+    =>
+      <T><TT>
+        <k> clearExternalCallEnv
+            ~> runExternalCalls(EC) </k>
+        invariantStateStack(
+            u(?NumUsers1:Int),
+            ?UserIdToAddress1:Map,
+            ?AddressToUserId1:Map,
+            u(?NumBoardMembers1:Int),
+            u(?NumProposers1:Int),
+            ?UserRoles1:Map,
+            u(?Quorum1:Int),
+            u(?ActionLastIndex1:Int),
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            CallerAddress:Address,
+            .List):StateCell
+      </TT></T>
+    requires true
+      andBool invariant(
+          NumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          NumBoardMembers:Usize,
+          NumProposers:Usize,
+          UserRoles:Map,
+          Quorum:Usize,
+          ActionLastIndex0:Usize,
+          ActionData0:Map,
+          ActionSigners0:Map,
+          usesExpanded)
+      andBool invariant(
+          NumUsersS:Usize,
+          UserIdToAddressS:Map,
+          AddressToUserIdS:Map,
+          NumBoardMembersS:Usize,
+          NumProposersS:Usize,
+          UserRolesS:Map,
+          QuorumS:Usize,
+          ActionLastIndexS:Usize,
+          ActionDataS:Map,
+          ActionSignersS:Map,
+          usesExpanded)
+      andBool isKResult(A)
+    ensures true
+      andBool invariant(
+          u(?NumUsers1),
+          ?UserIdToAddress1,
+          ?AddressToUserId1,
+          u(?NumBoardMembers1),
+          u(?NumProposers1),
+          ?UserRoles1,
+          u(?Quorum1),
+          u(?ActionLastIndex1),
+          ?ActionData1,
+          ?ActionSigners1,
+          expanded)
+  [trusted]
+endmodule
+
 module PROOF-PERFORM-ACTION
   imports INVARIANT-EXECUTION
 
   imports TRUSTED-PERFORM-ADD-BOARD-MEMBER
   imports TRUSTED-PERFORM-ADD-PROPOSER-1
-  imports TRUSTED-PERFORM-ADD-PROPOSER-2
   imports TRUSTED-PERFORM-ADD-PROPOSER-3
-  imports TRUSTED-PERFORM-ADD-PROPOSER-4
   imports TRUSTED-PERFORM-ADD-PROPOSER-5
-  imports TRUSTED-PERFORM-ADD-PROPOSER-6
   imports TRUSTED-PERFORM-ADD-PROPOSER-7
   imports TRUSTED-PERFORM-ADD-PROPOSER-8
   imports TRUSTED-PERFORM-ADD-PROPOSER-9
   imports TRUSTED-PERFORM-CHANGE-QUORUM
   imports TRUSTED-PERFORM-NOTHING
   imports TRUSTED-PERFORM-REMOVE-USER-1
-  imports TRUSTED-PERFORM-REMOVE-USER-2
   imports TRUSTED-PERFORM-REMOVE-USER-3
-  imports TRUSTED-PERFORM-REMOVE-USER-4
   imports TRUSTED-PERFORM-REMOVE-USER-5
-  imports TRUSTED-PERFORM-REMOVE-USER-6
   imports TRUSTED-PERFORM-REMOVE-USER-7
-  imports TRUSTED-PERFORM-REMOVE-USER-8
   imports TRUSTED-PERFORM-REMOVE-USER-9
   imports TRUSTED-PERFORM-REMOVE-USER-10
   imports TRUSTED-PERFORM-S-C-CALL
@@ -98,16 +190,17 @@ module PROOF-PERFORM-ACTION
       </TT></T>
     =>
       <T><TT>
-        <k> runExternalCalls(EC) </k>
+        <k> clearExternalCallEnv
+            ~> runExternalCalls(EC) </k>
         invariantStateStack(
-            ?NumUsers1:Usize,
+            u(?NumUsers1:Int),
             ?UserIdToAddress1:Map,
             ?AddressToUserId1:Map,
-            ?NumBoardMembers1:Usize,
-            ?NumProposers1:Usize,
+            u(?NumBoardMembers1:Int),
+            u(?NumProposers1:Int),
             ?UserRoles1:Map,
-            ?Quorum1:Usize,
-            ?ActionLastIndex1:Usize,
+            u(?Quorum1:Int),
+            u(?ActionLastIndex1:Int),
             ?ActionData1:Map,
             ?ActionSigners1:Map,
             CallerAddress:Address,
@@ -141,15 +234,15 @@ module PROOF-PERFORM-ACTION
       andBool isKResult(A)
     ensures true
       andBool invariant(
-          ?NumUsers1:Usize,
-          ?UserIdToAddress1:Map,
-          ?AddressToUserId1:Map,
-          ?NumBoardMembers1:Usize,
-          ?NumProposers1:Usize,
-          ?UserRoles1:Map,
-          ?Quorum1:Usize,
-          ?ActionLastIndex1:Usize,
-          ?ActionData1:Map,
-          ?ActionSigners1:Map,
+          u(?NumUsers1),
+          ?UserIdToAddress1,
+          ?AddressToUserId1,
+          u(?NumBoardMembers1),
+          u(?NumProposers1),
+          ?UserRoles1,
+          u(?Quorum1),
+          u(?ActionLastIndex1),
+          ?ActionData1,
+          ?ActionSigners1,
           usesExpanded)
-endmodule
\ No newline at end of file
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
index b7ed250c7..a25809a32 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-1
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -47,7 +46,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-1
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool Quorum ==K NumBoardMembers
     [trusted]
 
@@ -65,7 +63,6 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -102,7 +99,6 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool Quorum ==K NumBoardMembers
 
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
deleted file mode 100644
index ccc342cee..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-2.k
+++ /dev/null
@@ -1,102 +0,0 @@
-module TRUSTED-PERFORM-ADD-PROPOSER-2
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            u(?_NumUsersFinal:Int),
-            ?_UserIdToAddressFinal:Map,
-            ?_AddressToUserIdFinal:Map,
-            u(?_NumBoardMembersFinal:Int),
-            u(?_NumProposersFinal:Int),
-            ?_UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool Quorum ==K NumBoardMembers
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-2
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            u(?_NumUsersFinal:Int),
-            ?_UserIdToAddressFinal:Map,
-            ?_AddressToUserIdFinal:Map,
-            u(?_NumBoardMembersFinal:Int),
-            u(?_NumProposersFinal:Int),
-            ?_UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool Quorum ==K NumBoardMembers
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
index 63c63c6b6..5b2f7736b 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -47,7 +46,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (Quorum ==K NumBoardMembers)
     ensures performEnsures(
             u(?NumUsersFinal),
@@ -73,7 +71,6 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -110,7 +107,6 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (Quorum ==K NumBoardMembers)
     ensures performEnsures(
             u(?NumUsersFinal),
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
deleted file mode 100644
index c3f917bdd..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-4.k
+++ /dev/null
@@ -1,118 +0,0 @@
-module TRUSTED-PERFORM-ADD-PROPOSER-4
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (Quorum ==K NumBoardMembers)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-4
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (Quorum ==K NumBoardMembers)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
index 109492b06..b5f426e1a 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -47,7 +46,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (ProposerRole ==K BoardMember)
     ensures performEnsures(
             u(?NumUsersFinal),
@@ -73,7 +71,6 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -110,7 +107,6 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (ProposerRole ==K BoardMember)
     ensures performEnsures(
             u(?NumUsersFinal),
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
deleted file mode 100644
index 30347cd63..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-6.k
+++ /dev/null
@@ -1,118 +0,0 @@
-module TRUSTED-PERFORM-ADD-PROPOSER-6
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerRole ==K BoardMember)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-6
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerRole ==K BoardMember)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
index a3fc8e34f..99676a1f8 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -47,7 +46,6 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (ProposerId in_keys(UserIdToRole))
     ensures performEnsures(
             u(?NumUsersFinal),
@@ -73,7 +71,6 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             UserIdToAddress:Map,
             (
                 ProposerAddress |-> ProposerId:Usize
-                CallerAddress |-> _:Usize
                 _:Map
             ) #as AddressToUserId:Map,
             NumBoardMembers:Usize,
@@ -110,7 +107,6 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             NumProposers,
             UserIdToRole,
             Quorum)
-        andBool notBool (ProposerAddress ==K CallerAddress)
         andBool notBool (ProposerId in_keys(UserIdToRole))
     ensures performEnsures(
             u(?NumUsersFinal),
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
index 60d3dc047..473b0baaa 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -38,7 +37,7 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -46,18 +45,19 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             u(NumBoardMembers),
             u(NumProposers),
             UserIdToRole,
-            u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
+            u(Quorum),
+            usesExpanded)
         andBool Quorum <=Int NumBoardMembers -Int 1
         andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-    ensures performEnsures(
+    ensures performEnsuresHandling(
             u(?NumUsersFinal),
             ?UserIdToAddressFinal,
             ?AddressToUserIdFinal,
             u(?NumBoardMembersFinal),
             u(?NumProposersFinal),
             UserIdToRoleFinal,
-            u(Quorum))
+            u(Quorum),
+            expanded)
     [trusted]
 
 endmodule
@@ -74,7 +74,6 @@ module PROOF-PERFORM-REMOVE-USER-1
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -111,7 +110,6 @@ module PROOF-PERFORM-REMOVE-USER-1
             u(NumProposers),
             UserIdToRole,
             u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
         andBool Quorum <=Int NumBoardMembers -Int 1
         andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
     ensures performEnsures(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
index b9af293ad..92fb85a1e 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -34,7 +34,7 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -42,16 +42,18 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             NumBoardMembers,
             NumProposers,
             UserIdToRole,
-            Quorum)
+            Quorum,
+            usesExpanded)
         andBool notBool (UserAddress in_keys(AddressToUserId))
-    ensures performEnsures(
+    ensures performEnsuresHandling(
             NumUsers,
             UserIdToAddress,
             AddressToUserId,
             NumBoardMembers,
             NumProposers,
             UserIdToRole,
-            Quorum)
+            Quorum,
+            expanded)
     [trusted]
 endmodule
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
deleted file mode 100644
index c17b678f9..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-2.k
+++ /dev/null
@@ -1,122 +0,0 @@
-module TRUSTED-PERFORM-REMOVE-USER-2
-  imports INVARIANT-EXECUTION
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            UserIdToRoleFinal,
-            u(Quorum),
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool Quorum <=Int NumBoardMembers -Int 1
-        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            UserIdToRoleFinal,
-            u(Quorum))
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-REMOVE-USER-2
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            UserIdToRoleFinal,
-            u(Quorum),
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool Quorum <=Int NumBoardMembers -Int 1
-        andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            UserIdToRoleFinal,
-            u(Quorum))
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
index 514db9ec3..16ecafed0 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -38,7 +37,7 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -46,8 +45,8 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             u(NumBoardMembers),
             u(NumProposers),
             UserIdToRole,
-            u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
+            u(Quorum),
+            usesExpanded)
         andBool notBool
             ((Quorum <=Int NumBoardMembers -Int 1)
             andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
@@ -68,7 +67,6 @@ module PROOF-PERFORM-REMOVE-USER-3
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -105,7 +103,6 @@ module PROOF-PERFORM-REMOVE-USER-3
             u(NumProposers),
             UserIdToRole,
             u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
         andBool notBool
             ((Quorum <=Int NumBoardMembers -Int 1)
             andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
deleted file mode 100644
index 91af743c7..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-4.k
+++ /dev/null
@@ -1,110 +0,0 @@
-module TRUSTED-PERFORM-REMOVE-USER-4
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            ?_NumUsersFinal,
-            ?_UserIdToAddressFinal,
-            ?_AddressToUserIdFinal,
-            ?_NumBoardMembersFinal,
-            ?_NumProposersFinal,
-            ?_UserIdToRoleFinal,
-            u(Quorum),
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool
-            ((Quorum <=Int NumBoardMembers -Int 1)
-            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-            )
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-REMOVE-USER-4
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            ?_NumUsersFinal,
-            ?_UserIdToAddressFinal,
-            ?_AddressToUserIdFinal,
-            ?_NumBoardMembersFinal,
-            ?_NumProposersFinal,
-            ?_UserIdToRoleFinal,
-            u(Quorum),
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool
-            ((Quorum <=Int NumBoardMembers -Int 1)
-            andBool (NumBoardMembers -Int 1 +Int NumProposers >Int 0)
-            )
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
index 7232cca7d..7c7b8c824 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -38,7 +37,7 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -46,19 +45,20 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             u(NumBoardMembers),
             u(NumProposers),
             UserIdToRole,
-            u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
+            u(Quorum),
+            usesExpanded)
         andBool notBool (UserRole ==K BoardMember)
         andBool Quorum <=Int NumBoardMembers
         andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
-    ensures performEnsures(
+    ensures performEnsuresHandling(
             u(?NumUsersFinal),
             ?UserIdToAddressFinal,
             ?AddressToUserIdFinal,
             u(?NumBoardMembersFinal),
             u(?NumProposersFinal),
             UserIdToRoleFinal,
-            u(Quorum))
+            u(Quorum),
+            expanded)
     [trusted]
 
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
deleted file mode 100644
index 19b6a16be..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-6.k
+++ /dev/null
@@ -1,124 +0,0 @@
-module TRUSTED-PERFORM-REMOVE-USER-6
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            UserIdToRoleFinal,
-            u(Quorum:Int),
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool (UserRole ==K BoardMember)
-        andBool Quorum <=Int NumBoardMembers
-        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            UserIdToRoleFinal,
-            u(Quorum))
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-REMOVE-USER-6
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            UserIdToRoleFinal,
-            u(Quorum:Int),
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool (UserRole ==K BoardMember)
-        andBool Quorum <=Int NumBoardMembers
-        andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            UserIdToRoleFinal,
-            u(Quorum))
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
index 98a7aa10a..fe8bc9b33 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
@@ -10,7 +10,6 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -38,7 +37,7 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -46,8 +45,8 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             u(NumBoardMembers),
             u(NumProposers),
             UserIdToRole,
-            u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
+            u(Quorum),
+            usesExpanded)
         andBool notBool (UserRole ==K BoardMember)
         andBool notBool (
             Quorum <=Int NumBoardMembers
@@ -67,7 +66,6 @@ module PROOF-PERFORM-REMOVE-USER-7
             UserIdToAddress:Map,
             (
                 UserAddress |-> UserId:Usize
-                CallerAddress |-> _:Usize
                 _AddressToUserId:Map
             ) #as AddressToUserId:Map,
             u(NumBoardMembers:Int),
@@ -104,7 +102,6 @@ module PROOF-PERFORM-REMOVE-USER-7
             u(NumProposers),
             UserIdToRole,
             u(Quorum))
-        andBool notBool (UserAddress ==K CallerAddress)
         andBool notBool (UserRole ==K BoardMember)
         andBool notBool (
             Quorum <=Int NumBoardMembers
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k
deleted file mode 100644
index 7850f6dfc..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-8.k
+++ /dev/null
@@ -1,110 +0,0 @@
-module TRUSTED-PERFORM-REMOVE-USER-8
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            ?_NumUsers,
-            ?_UserIdToAddress,
-            ?_AddressToUserId,
-            ?_NumBoardMembers,
-            ?_NumProposers,
-            ?_UserIdToRole,
-            u(Quorum:Int),
-            ActionState,
-            ?_Variables:Map,
-            Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool (UserRole ==K BoardMember)
-        andBool notBool (
-            Quorum <=Int NumBoardMembers
-            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-REMOVE-USER-8
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            RemoveUser(UserAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                UserAddress |-> UserId:Usize
-                _AddressToUserId:Map
-            ) #as AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            u(NumProposers:Int),
-            (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
-            u(Quorum:Int),
-            ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
-            CallerAddress:Address)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            ?_NumUsers,
-            ?_UserIdToAddress,
-            ?_AddressToUserId,
-            ?_NumBoardMembers,
-            ?_NumProposers,
-            ?_UserIdToRole,
-            u(Quorum:Int),
-            ActionState,
-            ?_Variables:Map,
-            .List, // TODO: Stack:List,
-            CallerAddress)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            u(NumProposers),
-            UserIdToRole,
-            u(Quorum))
-        andBool (UserAddress ==K CallerAddress)
-        andBool notBool (UserRole ==K BoardMember)
-        andBool notBool (
-            Quorum <=Int NumBoardMembers
-            andBool (NumBoardMembers +Int (NumProposers -Int 1) >Int 0))
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
index 58ab24bae..b49fe8b1d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -34,7 +34,7 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             Stack:List,
             CallerAddress)
       </T>
-    requires performRequires(
+    requires performRequiresHandling(
             Action,
             NumUsers,
             UserIdToAddress,
@@ -42,18 +42,20 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             NumBoardMembers,
             NumProposers,
             UserIdToRole,
-            Quorum)
+            Quorum,
+            usesExpanded)
         andBool notBool (UserId in_keys(UserIdToRole))
         andBool UserAddress in_keys(AddressToUserId)
         andBool AddressToUserId ==K (UserAddress |-> UserId:KItem _AddressToUserId:Map)
-    ensures performEnsures(
+    ensures performEnsuresHandling(
             u(?NumUsersFinal),
             ?UserIdToAddressFinal,
             ?AddressToUserIdFinal,
             u(?NumBoardMembersFinal),
             u(?NumProposersFinal),
             ?UserIdToRoleFinal,
-            Quorum)
+            Quorum,
+            usesExpanded)
     [trusted]
 endmodule
 

From b42a21905d2f055601a2c4fbe6ee3cf70fed0c9e Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 20:54:32 +0300
Subject: [PATCH 05/37] Functions optimization

---
 .../proof/execution-proof.k                   |  59 ++++
 .../proof/functions/Makefile                  |  20 ++
 .../proof/functions/functions-dependency.mak  |   3 +
 .../proof/functions/functions-execute.k       |  20 ++
 .../proof/functions/functions.mak             |  39 +++
 .../proof-change-user-role-BoardMember.k      |  92 +++++
 .../functions/proof-change-user-role-New.k    | 104 ++++++
 .../functions/proof-change-user-role-None.k   |  96 +++++
 .../proof-change-user-role-Proposer.k         |  92 +++++
 .../proof-propose-action-BoardMember.k        | 122 +++++++
 .../functions/proof-propose-action-Proposer.k | 122 +++++++
 .../functions/proof-propose-action-error.k    | 116 ++++++
 .../proof/functions/proof-sign-caller-none.k  | 100 ++++++
 .../functions/proof-sign-caller-not-user.k    | 100 ++++++
 .../functions/proof-sign-caller-proposer.k    | 102 ++++++
 .../proof/functions/proof-sign-empty-action.k |  92 +++++
 .../proof-sign-existing-signers-in-list.k     | 104 ++++++
 .../proof-sign-existing-signers-not-in-list.k | 104 ++++++
 .../proof/functions/proof-sign-no-signers.k   | 105 ++++++
 .../protocol-correctness/proof/invariant.k    |  78 ++++-
 .../proof/invariant/count-can-sign-parts.k    |   6 -
 .../proof/invariant/init-loop-parts.k         |   6 -
 .../proof/invariant/invariant-execution.k     | 329 ++++++++++++------
 .../proof/invariant/perform-parts.k           |   8 +-
 .../proof/invariant/proof-listlen.k           |   4 +-
 .../proof-perform-add-board-member.k          |  12 +
 .../invariant/proof-perform-add-proposer-3.k  |  12 +
 .../invariant/proof-perform-add-proposer-5.k  |  12 +
 .../invariant/proof-perform-add-proposer-7.k  |  12 +
 .../invariant/proof-perform-add-proposer-8.k  |  12 +
 .../invariant/proof-perform-add-proposer-9.k  |  12 +
 .../invariant/proof-perform-remove-user-1.k   |  12 +
 .../invariant/proof-perform-remove-user-10.k  |  12 +
 .../invariant/proof-perform-remove-user-5.k   |  12 +
 .../invariant/proof-perform-remove-user-9.k   |  12 +
 .../proof-propose-add-board-member.k          |  16 +-
 .../invariant/proof-propose-add-proposer.k    |  10 +
 .../invariant/proof-propose-change-quorum.k   |  10 +
 .../invariant/proof-propose-remove-user.k     |  10 +
 .../proof/invariant/proof-propose-sc-call.k   |  10 +
 .../proof/invariant/proof-propose-sc-deploy.k |  10 +
 .../proof/invariant/proof-propose-send-egld.k |  10 +
 .../proof/invariant/proof-sign.k              |  16 +
 43 files changed, 2110 insertions(+), 125 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/Makefile
 create mode 100644 multisig/protocol-correctness/proof/functions/functions-dependency.mak
 create mode 100644 multisig/protocol-correctness/proof/functions/functions-execute.k
 create mode 100644 multisig/protocol-correctness/proof/functions/functions.mak
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k

diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 8f5862e5c..1bd11a784 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -461,11 +461,70 @@ module EXECUTION-PROOF-HELPERS
 
 endmodule
 
+module CONCRETIZE-INSTRUMENTATION
+  imports MAP
+
+  imports PSEUDOCODE
+
+  syntax KItem ::= concretizeValue(KItem)
+  rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
+  rule concretizeValue(u(V:Int)) => concretizeValue(V)
+  rule concretizeValue(address(V:Int)) => concretizeValue(V)
+  rule concretizeValue(BoardMember) => .K
+  rule concretizeValue(Proposer) => .K
+  rule concretizeValue(None) => .K
+
+  rule concretizeValue(_) => .K [priority(200)]
+
+  syntax Singleton ::= "singleton"
+
+  syntax IntVarList ::= vars(Int, IntVarList)
+                    |   ".IntVarList"
+
+  syntax Bool ::= isLazyConcretize(KItem)  [function, functional]
+  rule isLazyConcretize(lazyConcretizeKeysFreezer) => true
+  rule isLazyConcretize(lazyConcretizeKeys(_:Map)) => true
+  rule isLazyConcretize(lazyConcretizeValues(_:Map)) => true
+  rule isLazyConcretize(_:KItem) => false  [owise]
+
+  syntax Singleton ::= concretizeKeys(Map, IntVarList)  [function, functional]
+  rule concretizeKeys((K:Usize |-> _:KItem M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
+      => concretizeKeys(M, Vars)
+    ensures K ==K u(U:Int)
+      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
+    [simplification(40)]
+  rule concretizeKeys(_:Map, _:IntVarList) => singleton
+    [simplification(50)]
+
+  syntax Singleton ::= concretizeValues(Map, IntVarList)  [function, functional]
+  rule concretizeValues((_:KItem |-> V:Usize M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
+      => concretizeValues(M, Vars)
+    ensures V ==K u(U:Int)
+      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
+    [simplification(40)]
+  rule concretizeValues(_:Map, _:IntVarList) => singleton
+    [simplification(50)]
+
+  syntax KItem ::= concretized(Singleton)
+  rule concretized(singleton) => .K
+
+  syntax KItem ::= "lazyConcretizeKeysFreezer"
+
+  syntax KItem ::= lazyConcretizeKeys(Map)
+  rule lazyConcretizeKeys(M:Map) => concretized(concretizeKeys(M, vars(?_, vars(?_, .IntVarList))))
+
+  syntax KItem ::= lazyConcretizeValues(Map)
+  rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
+
+endmodule
+
 module PROOF-INSTRUMENTATION
   imports MAP
 
   imports PSEUDOCODE
 
+  imports CONCRETIZE-INSTRUMENTATION
+
   syntax KItem ::= splitEquality(KItem, KItem)
   rule splitEquality(A:KItem, B:KItem) => .K
     requires A ==K B
diff --git a/multisig/protocol-correctness/proof/functions/Makefile b/multisig/protocol-correctness/proof/functions/Makefile
new file mode 100644
index 000000000..d0a9c8ef6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/Makefile
@@ -0,0 +1,20 @@
+include ../settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR = ..
+
+PROOF_DIR = ..
+include $(PROOF_DIR)/proof-dependency.mak
+
+FUNCTIONS_DIR = .
+include functions.mak
+
+.PHONY: all clean execution
+
+all: $(FUNCTIONS_OUT_PREFIX)proof.timestamp
+
+execution: $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+
+clean: functions.clean
diff --git a/multisig/protocol-correctness/proof/functions/functions-dependency.mak b/multisig/protocol-correctness/proof/functions/functions-dependency.mak
new file mode 100644
index 000000000..579b530db
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/functions-dependency.mak
@@ -0,0 +1,3 @@
+FUNCTIONS_ALL := $(wildcard $(FUNCTIONS_DIR)/*.k)
+FUNCTIONS_PROOFS := $(wildcard $(FUNCTIONS_DIR)/proof-*.k)
+FUNCTIONS_EXECUTION := $(filter-out $(FUNCTIONS_PROOFS), $(FUNCTIONS_ALL)) $(PROOF_EXECUTION)
diff --git a/multisig/protocol-correctness/proof/functions/functions-execute.k b/multisig/protocol-correctness/proof/functions/functions-execute.k
new file mode 100644
index 000000000..ea17859e3
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/functions-execute.k
@@ -0,0 +1,20 @@
+require "../execution-proof.k"
+
+module FUNCTIONS-EXECUTE-SYNTAX
+  imports EXECUTION-PROOF-SYNTAX
+endmodule
+
+module FUNCTIONS-INSTRUMENTATION
+  imports PROOF-INSTRUMENTATION
+
+  rule  preCall 
+      ~> (.K => concretizeValue(Role))
+      ~> call(canSign(Role:UserRole))
+  [priority(20)]
+endmodule
+
+module FUNCTIONS-EXECUTE
+  imports EXECUTION-PROOF
+
+  imports FUNCTIONS-INSTRUMENTATION
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/functions.mak b/multisig/protocol-correctness/proof/functions/functions.mak
new file mode 100644
index 000000000..37a6b6cdf
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/functions.mak
@@ -0,0 +1,39 @@
+FUNCTIONS_OUT_PREFIX=out/functions.
+
+include ${FUNCTIONS_DIR}/functions-dependency.mak
+
+FUNCTIONS_PROOF_TIMESTAMPS := $(addprefix $(FUNCTIONS_OUT_PREFIX),$(notdir ${FUNCTIONS_PROOFS:.k=.timestamp}))
+FUNCTIONS_PROOF_DEBUGGERS := $(addprefix $(FUNCTIONS_OUT_PREFIX),$(notdir ${FUNCTIONS_PROOFS:.k=.debugger}))
+
+.PHONY: functions.clean ${FUNCTIONS_PROOF_DEBUGGERS}
+
+$(FUNCTIONS_OUT_PREFIX)proof.timestamp: ${FUNCTIONS_PROOF_TIMESTAMPS}
+	$(DIR_GUARD)
+	@touch $(FUNCTIONS_OUT_PREFIX)proof.timestamp
+
+$(FUNCTIONS_OUT_PREFIX)proof-%.timestamp: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Proving $*..."
+	@cat /proc/uptime | sed 's/\s.*//' > $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp
+	@((kprove $< --directory $(FUNCTIONS_DIR) --haskell-backend-command $(BACKEND_COMMAND) > $(FUNCTIONS_OUT_PREFIX)proof-$*.out 2>&1) && echo "$* done") || (cat $(FUNCTIONS_OUT_PREFIX)proof-$*.out; echo "$* failed"; echo "$*" >> $(FUNCTIONS_OUT_PREFIX)failures; false)
+	@cat /proc/uptime | sed 's/\s.*//' >> $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp
+	@$(SCRIPT_DIR)/compute-duration.py $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp > $(FUNCTIONS_OUT_PREFIX)proof-$*.duration
+	@rm $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp
+	@touch $(FUNCTIONS_OUT_PREFIX)proof-$*.timestamp
+
+$(FUNCTIONS_OUT_PREFIX)proof-%.debugger: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Debugging $*..."
+	@kprove $< --directory $(FUNCTIONS_DIR) --haskell-backend-command $(DEBUG_COMMAND)
+
+$(FUNCTIONS_OUT_PREFIX)execution.timestamp: $(FUNCTIONS_DIR)/functions-execute.k $(FUNCTIONS_EXECUTION)
+	$(DIR_GUARD)
+	@echo "Compiling execution..."
+	@kompile $< --backend haskell --directory $(FUNCTIONS_DIR)
+	@touch $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+
+functions.clean:
+	-rm -r $(FUNCTIONS_DIR)/*-kompiled
+	-rm -r .kprove-*
+	-rm kore-*.tar.gz
+	-rm $(FUNCTIONS_OUT_PREFIX)*
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
new file mode 100644
index 000000000..b4d030e33
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
@@ -0,0 +1,92 @@
+module TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserId |-> BoardMember UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1 +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserId |-> BoardMember UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1 +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
new file mode 100644
index 000000000..9ff3ac636
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
@@ -0,0 +1,104 @@
+module TRUSTED-CHANGE-USER-ROLE-NEW
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else u(NumUsers +Int 1) |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // something taking map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), usesExpanded)
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), usesExpanded)
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-CHANGE-USER-ROLE-NEW
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else u(NumUsers +Int 1) |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
new file mode 100644
index 000000000..3c0fc68f3
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
@@ -0,0 +1,96 @@
+module TRUSTED-CHANGE-USER-ROLE-NONE
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-CHANGE-USER-ROLE-NONE
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
new file mode 100644
index 000000000..ee39d125c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
@@ -0,0 +1,92 @@
+module TRUSTED-CHANGE-USER-ROLE-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserId |-> Proposer UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers -Int 1 +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-CHANGE-USER-ROLE-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
+          </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              UserId |-> Proposer UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K </k>
+          invariantStateFull(
+              u(NumUsers),
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
+              u(NumProposers -Int 1 +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
+              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
new file mode 100644
index 000000000..41405d715
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
@@ -0,0 +1,122 @@
+module TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> u(ActionLastIndex +Int 1) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1) |-> Action ActionData,
+              (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-PROPOSE-ACTION-BOARDMEMBER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> u(ActionLastIndex +Int 1) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1) |-> Action ActionData,
+              (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
new file mode 100644
index 000000000..3fe5588f1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
@@ -0,0 +1,122 @@
+module TRUSTED-PROPOSE-ACTION-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> u(ActionLastIndex +Int 1) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1) |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K Proposer
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-PROPOSE-ACTION-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> u(ActionLastIndex +Int 1) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1) |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K Proposer
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
new file mode 100644
index 000000000..a04026330
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
@@ -0,0 +1,116 @@
+module TRUSTED-PROPOSE-ACTION-ERROR
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(_Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool
+        ( CallerAddress in_keys(AddressToUserId)
+        andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+        )
+    ensures true
+  [trusted]
+endmodule
+
+module PROOF-PROPOSE-ACTION-ERROR
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(_Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool
+        ( CallerAddress in_keys(AddressToUserId)
+        andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+        )
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
new file mode 100644
index 000000000..622f12d4f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
@@ -0,0 +1,100 @@
+module TRUSTED-SIGN-CALLER-NONE
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-CALLER-NONE
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
new file mode 100644
index 000000000..6909ed36a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
@@ -0,0 +1,100 @@
+module TRUSTED-SIGN-CALLER-NOT-USER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-CALLER-NOT-USER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
new file mode 100644
index 000000000..547538fd8
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
@@ -0,0 +1,102 @@
+module TRUSTED-SIGN-CALLER-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+      
+      andBool ActionId in_keys(ActionData)
+      // andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-CALLER-PROPOSER
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+      andBool ActionId in_keys(ActionData)
+      // andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
new file mode 100644
index 000000000..194e09df5
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
@@ -0,0 +1,92 @@
+module TRUSTED-SIGN-EMPTY-ACTION
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-EMPTY-ACTION
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
new file mode 100644
index 000000000..506299a8e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
@@ -0,0 +1,104 @@
+module TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ((ActionId |-> Signers:ExpressionList) _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+      andBool ActionId in_keys(ActionData)
+      andBool isKResult(Signers)
+      andBool #listContains(Signers, UserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ((ActionId |-> Signers:ExpressionList) _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+      
+      andBool ActionId in_keys(ActionData)
+      andBool isKResult(Signers)
+      andBool #listContains(Signers, UserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
new file mode 100644
index 000000000..c9aeed016
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
@@ -0,0 +1,104 @@
+module TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              (ActionId |-> [Signers:ExpressionCSV]) ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionId |-> [#pushList(Signers, UserId)]) ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+      
+      andBool ActionId in_keys(ActionData)
+      andBool isKResult(Signers)
+      andBool notBool #listContains([Signers], UserId)
+    ensures true
+    [trusted]
+endmodule
+
+module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              (ActionId |-> [Signers:ExpressionCSV]) ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionId |-> [#pushList(Signers, UserId)]) ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+      andBool ActionId in_keys(ActionData)
+      andBool isKResult(Signers)
+      andBool notBool #listContains([Signers], UserId)
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
new file mode 100644
index 000000000..04f640458
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
@@ -0,0 +1,105 @@
+module TRUSTED-SIGN-NO-SIGNERS
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionId |-> [UserId, .] ActionSigners,
+              CallerAddress,
+              Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+      andBool usizeToInt(ActionId) <Int ActionLastIndex +Int 1
+    [trusted]
+endmodule
+
+module PROOF-SIGN-NO-SIGNERS
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(sign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              .List,  // TODO: Stack:List,
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionId |-> [UserId, .] ActionSigners,
+              CallerAddress,
+              .List,  // TODO: Stack:List,
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+      andBool actionDataInvariant(ActionData)
+      andBool userIdToRoleInvariant(UserIdToRole)
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), Handling)
+
+      andBool ActionId in_keys(ActionData)
+      andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+      andBool usizeToInt(ActionId) <Int ActionLastIndex +Int 1
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index ce3f2364c..a8b349457 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -39,6 +39,7 @@ module INVARIANT-HELPERS
     => true
       andBool valueOfType(V, rAction) // valuesAreOfType(ActionData, rAction)
       andBool isKResult(V)  // valuesAreKResult(ActionData)
+      andBool valueIsNotEmpty(V, rAction)  // valuesAreNotEmpty(ActionData, rAction)
 
       andBool actionDataInvariant(ActionData)
     [simplification]
@@ -99,6 +100,21 @@ module INVARIANT
       callerAddress:KItem,
       stack:List)  [function, functional]
 
+  syntax StateCell ::= invariantStateFull(
+      numUsers:Usize,
+      userIdToAddress:Map,
+      addressToUserId:Map,
+      numBoardMembers:Usize,
+      numProposers:Usize,
+      userIdToRole:Map,
+      quorum:Usize,
+      actionLastIndex:Usize,
+      actionData:Map,
+      actionSigners:Map,
+      callerAddress:KItem,
+      stack:List,
+      variables:Map)  [function, functional]
+
   rule invariantState(
       NumUsers:Usize,
       UserIdToAddress:Map,
@@ -138,6 +154,35 @@ module INVARIANT
       ActionSigners:Map,
       CallerAddress:KItem,
       Stack:List)
+    => invariantStateFull(
+          NumUsers,
+          UserIdToAddress,
+          AddressToUserId,
+          NumBoardMembers,
+          NumProposers,
+          UserIdToRole,
+          Quorum,
+          ActionLastIndex,
+          ActionData,
+          ActionSigners,
+          CallerAddress,
+          Stack,
+          .Map)
+
+  rule invariantStateFull(
+      NumUsers:Usize,
+      UserIdToAddress:Map,
+      AddressToUserId:Map,
+      NumBoardMembers:Usize,
+      NumProposers:Usize,
+      UserIdToRole:Map,
+      Quorum:Usize,
+      ActionLastIndex:Usize,
+      ActionData:Map,
+      ActionSigners:Map,
+      CallerAddress:KItem,
+      Stack:List,
+      Variables:Map)
     =>
       <state>
         invariantMultisigState(
@@ -152,15 +197,12 @@ module INVARIANT
             ActionData,
             ActionSigners):MultisigStateCell
         <pseudocode-state>
-          <variables>.Map</variables>
+          <variables>Variables</variables>
           <stack> Stack </stack>
         </pseudocode-state>
         <external-call-env>
           <caller-address>CallerAddress</caller-address>
         </external-call-env>
-        <proof-state>
-          <last-instrumented> .K </last-instrumented>
-        </proof-state>
       </state>
 
   rule invariantMultisigState(
@@ -237,6 +279,8 @@ module INVARIANT
       andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
       andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
 
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), Handling)
+
       andBool userIdToRoleInvariant(UserIdToRole)
       // andBool valuesAreOfType(UserIdToRole, rUserRole)
       // andBool valuesAreKResult(UserIdToRole)
@@ -266,6 +310,32 @@ module INVARIANT
       andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
       andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
 
+  // TODO: Maybe move somewhere else.
+  rule valuesAreOfType(M:Map, rUsize) => true
+    requires addressToUserIdInvariant(M)
+  rule valuesAreOfType(M:Map, rUserRole) => true
+    requires userIdToRoleInvariant(M)
+  rule valuesAreOfType(M:Map, rAction) => true
+    requires actionDataInvariant(M)
+  rule valuesAreKResult(M:Map) => true
+    requires false
+      orBool addressToUserIdInvariant(M)
+      orBool userIdToRoleInvariant(M)
+      orBool actionSignersInvariant(M)
+      orBool actionDataInvariant(M)
+  rule valuesAreNotEmpty(M:Map, rUsize) => true
+    requires false
+      orBool addressToUserIdInvariant(M)
+  rule valuesAreNotEmpty(M:Map, rUserRole) => true
+    requires false
+      orBool userIdToRoleInvariant(M)
+  rule valuesAreExpressionListOfUsize(M:Map) => true
+    requires false
+      orBool actionSignersInvariant(M)
+  rule valuesAreDistinct(M:Map) => true
+    requires false
+      orBool addressToUserIdInvariant(M)
+
   // TODO: Delete.
   syntax Bool ::= invariantDebug(
       numUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
index eecf4bd95..205c41f08 100644
--- a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
@@ -50,9 +50,6 @@ module COUNT-CAN-SIGN-PARTS
               <stack>Stack</stack>
             </pseudocode-state>
             ExternalCallEnv
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
           </state>
         </TT>
 
@@ -102,9 +99,6 @@ module COUNT-CAN-SIGN-PARTS
               <stack>Stack</stack>
             </pseudocode-state>
             ExternalCallEnv
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index 1030b40a9..16206bc79 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -70,9 +70,6 @@ module INIT-LOOP-PARTS
               <stack> Stack </stack>
             </pseudocode-state>
             ExternalCallEnv
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
 
           </state>
         </TT>
@@ -134,9 +131,6 @@ module INIT-LOOP-PARTS
               <stack> Stack </stack>
             </pseudocode-state>
             ExternalCallEnv
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 3c4f8b1df..fafd20eb4 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -1,4 +1,5 @@
 require "../execution-proof.k"
+require "../functions/functions-execute.k"
 
 require "count-can-sign-parts.k"
 require "init-loop-parts.k"
@@ -23,17 +24,6 @@ module INVARIANT-INSTRUMENTATION
   imports PROOF-INSTRUMENTATION
   imports PSEUDOCODE
 
-  syntax Singleton ::= "singleton"
-
-  syntax IntVarList ::= vars(Int, IntVarList)
-                    |   ".IntVarList"
-
-  syntax Bool ::= isLazyConcretize(KItem)  [function, functional]
-  rule isLazyConcretize(lazyConcretizeKeysFreezer) => true
-  rule isLazyConcretize(lazyConcretizeKeys(_:Map)) => true
-  rule isLazyConcretize(lazyConcretizeValues(_:Map)) => true
-  rule isLazyConcretize(_:KItem) => false  [owise]
-
   rule  nullableMapLookup(_:KItem, M:Map, _:ReflectionType)
         ~> (.K => lazyConcretizeKeys(M))
         ~> K:KItem
@@ -50,35 +40,23 @@ module INVARIANT-INSTRUMENTATION
   rule (M:Map ~> lazyConcretizeKeysFreezer) => (lazyConcretizeKeys(M) ~> M)
     [priority(20)]
 
-  syntax Singleton ::= concretizeKeys(Map, IntVarList)  [function, functional]
-  rule concretizeKeys((K:Usize |-> _:KItem M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
-      => concretizeKeys(M, Vars)
-    ensures K ==K u(U:Int)
-      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
-    [simplification(40)]
-  rule concretizeKeys(_:Map, _:IntVarList) => singleton
-    [simplification(50)]
-
-  syntax Singleton ::= concretizeValues(Map, IntVarList)  [function, functional]
-  rule concretizeValues((_:KItem |-> V:Usize M:Map) #as _:Map, vars(U:Int, Vars:IntVarList))
-      => concretizeValues(M, Vars)
-    ensures V ==K u(U:Int)
-      // => concretizeKeys(M, Vars) #And #Ceil(K #And u(U:Int))
-    [simplification(40)]
-  rule concretizeValues(_:Map, _:IntVarList) => singleton
-    [simplification(50)]
-
-  syntax KItem ::= concretized(Singleton)
-  rule concretized(singleton) => .K
-
-  syntax KItem ::= "lazyConcretizeKeysFreezer"
+  // TODO: Move in execution-proof.k
+  syntax KItem ::= makeConcreteValue(key:KItem, valueType:ReflectionType, Map)
+  rule makeConcreteValue(Key:KItem, ValueType:ReflectionType, M:Map)
+    => lazySplitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
+      ~>  cast(M[Key], ValueType)
+      ~>  removeValue
+      ~> concretizeValue(M[Key])
+    requires Key in_keys(M)
 
-  syntax KItem ::= lazyConcretizeKeys(Map)
-  rule lazyConcretizeKeys(M:Map) => concretized(concretizeKeys(M, vars(?_, vars(?_, .IntVarList))))
-
-  syntax KItem ::= lazyConcretizeValues(Map)
-  rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
+  syntax KItem ::= lazySplitMap(k:KItem, m:Map, value:KItem, remainder:Map)
+  rule lazySplitMap(K:KItem, M:Map, Value:KItem, Remainder:Map)
+      => splitMap(K, M, Value, Remainder)
+endmodule
 
+module PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PSEUDOCODE
+ 
   syntax KItem ::= "splitting-action"
   rule  <k> pushContext ~> (.K => splitAction(A) ~> splitting-action) ~> call(performAction(A:Action))
         ...</k>
@@ -105,6 +83,12 @@ module INVARIANT-INSTRUMENTATION
           _Function:BoxedBytes,
           _Arguments:ExpressionList))
       => .K
+endmodule
+
+module PERFORM-ACTION-REMOVE-USER-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PSEUDOCODE
 
   syntax KItem ::= splittingDeleteCaller(Address)
   syntax KItem ::= splittingDeleteCaller1(Address)
@@ -114,22 +98,16 @@ module INVARIANT-INSTRUMENTATION
     [priority(10)]
 
   rule  <k> splittingDeleteCaller(A:Address)
-            =>    splitBoolean(A in_keys(AddressToUserId))
-              ~>  branchK(
-                    A in_keys(AddressToUserId),
-                    splittingDeleteCaller1(A),
-                    .K
-                  )
+            =>  branchK(
+                  A in_keys(AddressToUserId),
+                  splittingDeleteCaller1(A),
+                  .K
+                )
         ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
   rule  <k> (
               splittingDeleteCaller1(A:Address)
-              => splitMap(
-                  A, AddressToUserId,
-                  ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
-                ~> cast(AddressToUserId[A], rUsize)
-                ~> removeValue
-                ~> splitBoolean(AddressToUserId[A] in_keys(UserIdToRole))
+              => makeConcreteValue(A, rUsize, AddressToUserId)
                 ~> branchK(
                       AddressToUserId[A] in_keys(UserIdToRole),
                       splittingDeleteCaller2({AddressToUserId[A]}:>Usize),
@@ -143,13 +121,8 @@ module INVARIANT-INSTRUMENTATION
 
   rule  <k> (
               splittingDeleteCaller2(UserId:Usize)
-              => splitMap(
-                  UserId, UserIdToRole,
-                  ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
-                ~> cast(UserIdToRole[UserId], rUserRole)
-                ~> removeValue
-                ~> lazyConcretizeKeys(UserIdToRole)
-                ~> splitBoolean(UserIdToRole[UserId] ==K BoardMember)
+              => makeConcreteValue(UserId, rUserRole, UserIdToRole)
+                ~> lazyConcretizeKeys(UserIdToRole)  // TODO: Likely not needed.
                 ~> branchK(
                       UserIdToRole[UserId] ==K BoardMember,
                       splitBoolean(Quorum <=Int NumBoardMembers -Int 1),
@@ -163,23 +136,14 @@ module INVARIANT-INSTRUMENTATION
         <num-proposers>u(NumProposers:Int)</num-proposers>
         <quorum>u(Quorum:Int)</quorum>
     requires UserId in_keys(UserIdToRole)
+endmodule
 
-  syntax KItem ::= concretizeValue(KItem)
-  rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
-  rule concretizeValue(u(V:Int)) => concretizeValue(V)
-  rule concretizeValue(address(V:Int)) => concretizeValue(V)
-  rule concretizeValue(BoardMember) => .K
-  rule concretizeValue(Proposer) => .K
-  rule concretizeValue(None) => .K
-
-  rule concretizeValue(_) => .K [priority(200)]
+module PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
 
   syntax KItem ::= "concretize-sc-deploy"
-  rule  <k> (
-              splitting-action
-              =>  concretizeValue(Arguments)
-                  ~> concretize-sc-deploy
-            )
+  rule  <k> (splitting-action => concretizeValue(Arguments))
             ~> call(performAction(SCDeploy(
                         _Amount:BigUint,
                         _Code:BoxedBytes,
@@ -187,51 +151,222 @@ module INVARIANT-INSTRUMENTATION
                         Arguments:ExpressionList)))
         ...</k>
     [priority(10)]
-  rule  concretize-sc-deploy => .K
-    [priority(20)]
+endmodule
 
-  syntax KItem ::= lazySplitMap(k:KItem, m:Map, value:KItem, remainder:Map)
-  rule lazySplitMap(K:KItem, M:Map, Value:KItem, Remainder:Map)
-      => splitMap(K, M, Value, Remainder)
+module PERFORM-ACTION-ADD-PROPOSER-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PSEUDOCODE
+ 
+  syntax KItem ::= splittingActionProposer1(Address)
+  syntax KItem ::= splittingActionProposer2(Address)
 
-  syntax KItem ::= "splitting-add-proposer-in-keys-atuid"
   rule  <k> (
               splitting-action
-              =>   splitBoolean(A1 in_keys(AddressToUserId))
-                ~> branchK(
+              =>  branchK(
                     A1 in_keys(AddressToUserId),
-                    lazySplitMap(
-                        A1, AddressToUserId,
-                        ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
-                      ~> cast(AddressToUserId[A1], rUsize)
-                      ~> removeValue
-                      ~> concretizeValue(AddressToUserId[A1])
-                      ~> concretizeValue(A1)
-                      ~> lazySplitMap(
-                          AddressToUserId[A1], UserIdToRole,
-                          ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
-                      ~> cast(UserIdToRole[AddressToUserId[A1]], rUserRole)
-                      ~> removeValue
-                      ~> concretizeValue(UserIdToRole[AddressToUserId[A1]])
-                      ~> .K,
+                    splittingActionProposer1(A1),
                     .K
                   )
-                ~> splitting-add-proposer-in-keys-atuid
             )
             ~> call(performAction(AddProposer(A1:Address)))
         ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-        <user-roles> UserIdToRole:Map </user-roles>
     [priority(10)]
-  rule  splitting-add-proposer-in-keys-atuid => .K
-    [priority(20)]
 
+  rule  <k> splittingActionProposer1(A1:Address)
+            =>   makeConcreteValue(A1, rUsize, AddressToUserId)
+              ~> splittingActionProposer2(A1)
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires A1 in_keys(AddressToUserId)
+      // TODO: Do I need AddressToUserId[A1] in_keys(UserIdToRole)?
+
+  // TODO: Merge this rule with the previous one.
+  rule  <k> splittingActionProposer2(A1:Address)
+            =>   makeConcreteValue(AddressToUserId[A1], rUserRole, UserIdToRole)
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+    requires true
+      andBool A1 in_keys(AddressToUserId)
+      andBool AddressToUserId[A1] in_keys(UserIdToRole)
+
+endmodule
+
+module PROPOSE-ACTION-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PSEUDOCODE
+
+  syntax KItem ::= "split-propose-action"
+  syntax KItem ::= "split-propose-action1"
+  syntax KItem ::= "split-propose-action2"
+
+  rule preCall ~> (.K => split-propose-action) ~> call(proposeAction(_Action:Action))
+  [priority(20)]
+
+  rule  <k> split-propose-action
+            =>  branchK(
+                  Caller in_keys(AddressToUserId),
+                  lazySplitMap(
+                      Caller, AddressToUserId,
+                      ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
+                    ~>  split-propose-action1,
+                  .K
+                )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>Caller:KItem</caller-address>
+
+  rule  <k> split-propose-action1
+            =>  branchK(
+                  AddressToUserId[Caller] in_keys(UserIdToRole),
+                  lazySplitMap(
+                      AddressToUserId[Caller], UserIdToRole,
+                      ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
+                    ~> split-propose-action2,
+                  .K
+                )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>Caller:KItem</caller-address>
+
+  rule  <k> split-propose-action2
+            =>   cast(UserIdToRole[AddressToUserId[Caller]], rUserRole)
+              ~> removeValue
+              ~> concretizeValue(UserIdToRole[AddressToUserId[Caller]])
+        ... </k>
+
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>Caller:KItem</caller-address>
+endmodule
+
+module CHANGE-USER-ROLE-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PSEUDOCODE
+
+  syntax KItem ::= splitChangeUserRole(Address)
+  syntax KItem ::= splitChangeUserRole2(Address)
+  syntax KItem ::= splitChangeUserRole3(Usize)
+
+  rule  preCall 
+        ~> (.K => splitChangeUserRole(UserAddress))
+        ~> call(changeUserRole(UserAddress:Address, _NewRole:UserRole))
+  [priority(20)]
+
+  rule  <k> splitChangeUserRole(Address:Address)
+            =>  branchK(
+                  Address in_keys(AddressToUserId),
+                  splitChangeUserRole2(Address),
+                  .K
+                )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+
+  rule  <k> splitChangeUserRole2(Address:Address)
+            =>    lazySplitMap(
+                        Address, AddressToUserId,
+                        ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
+              ~>  cast(AddressToUserId[Address], rUsize)
+              ~>  removeValue
+              ~>  concretizeValue(AddressToUserId[Address])
+              ~>  branchK(
+                    AddressToUserId[Address] in_keys(UserIdToRole),
+                    splitChangeUserRole3({AddressToUserId[Address]}:>Usize),
+                    .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+    requires Address in_keys(AddressToUserId)
+
+  rule  <k> splitChangeUserRole3(UserId:Usize)
+            =>    lazySplitMap(
+                        UserId, UserIdToRole,
+                        ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
+              ~>  cast(UserIdToRole[UserId], rUserRole)
+              ~>  removeValue
+              ~>  concretizeValue(UserIdToRole[UserId])
+        ... </k>
+        <user-roles>UserIdToRole:Map</user-roles>
+    requires UserId in_keys(UserIdToRole)
 endmodule
 
+module SIGN-INSTRUMENTATION
+  imports PSEUDOCODE
+  imports INVARIANT-INSTRUMENTATION
+
+  syntax KItem ::= splitSign(Usize)
+  syntax KItem ::= splitSign2(Usize)
+  syntax KItem ::= splitSign3(Usize)
+
+  rule  preCall 
+        ~> (.K => splitSign(ActionId))
+        ~> call(sign(ActionId:Usize))
+  [priority(20)]
+
+  rule  <k> splitSign(ActionId:Usize)
+            =>  branchK(
+                    ActionId in_keys(ActionData),
+                    branchK(
+                      CallerAddress in_keys(AddressToUserId),
+                      splitSign2(ActionId),
+                      .K
+                    ),
+                    .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <caller-address>CallerAddress:KItem</caller-address>
+        <action-data>ActionData:Map</action-data>
+
+  rule  <k> splitSign2(ActionId:Usize)
+            =>    makeConcreteValue(CallerAddress, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[CallerAddress] in_keys(UserIdToRole),
+                    splitSign3(ActionId),
+                    .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <caller-address>CallerAddress:KItem</caller-address>
+    requires CallerAddress in_keys(AddressToUserId)
+
+  rule  <k> splitSign3(ActionId:Usize)
+            =>    makeConcreteValue(AddressToUserId[CallerAddress], rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember,
+                    branchK(
+                      ActionId in_keys(ActionSigners),
+                      makeConcreteValue(ActionId, rExpressionList, ActionSigners),
+                      .K
+                    ),
+                    .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <caller-address>CallerAddress:KItem</caller-address>
+        <action-signers>ActionSigners:Map</action-signers>
+    requires CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+ endmodule
+
 module INVARIANT-EXECUTION
   imports EXECUTION-PROOF
+  imports FUNCTIONS-EXECUTE
 
   imports INVARIANT-INSTRUMENTATION
+  imports SIGN-INSTRUMENTATION
+  imports CHANGE-USER-ROLE-INSTRUMENTATION
+  imports PROPOSE-ACTION-INSTRUMENTATION
+  imports PERFORM-ACTION-ADD-PROPOSER-INSTRUMENTATION
+  imports PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
+  imports PERFORM-ACTION-REMOVE-USER-INSTRUMENTATION
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
 
   imports COUNT-CAN-SIGN-PARTS
   imports INIT-LOOP-PARTS
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index 63556ee24..5d6a2dc1d 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -189,6 +189,8 @@ module PERFORM-PARTS
       andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
       andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
 
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), Handling)
+
       andBool userIdToRoleInvariant(UserIdToRole)
       // andBool valuesAreOfType(UserIdToRole, rUserRole)
       // andBool valuesAreKResult(UserIdToRole)
@@ -244,9 +246,6 @@ module PERFORM-PARTS
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
           </state>
         </TT>
 
@@ -291,9 +290,6 @@ module PERFORM-PARTS
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
-            <proof-state>
-              <last-instrumented> .K </last-instrumented>
-            </proof-state>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-listlen.k b/multisig/protocol-correctness/proof/invariant/proof-listlen.k
index b1d599187..710f02c45 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-listlen.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-listlen.k
@@ -2,15 +2,13 @@ module PROOF-LISTLEN
   imports PSEUDOCODE
   imports INVARIANT-EXECUTION
 
+  // TODO: Remove the <k> cell.
   claim <k> call(listLen([.])) => u(0) ... </k>
-        <last-instrumented> .K </last-instrumented>
 
   claim <k> call(listLen([E:Expression , Es:ExpressionCSV])) => u(1 +Int pListLen([Es])) ... </k>
-        <last-instrumented> .K </last-instrumented>
     requires isKResult(E) andBool isKResult(Es)
 
   claim <k> call(listLen(L:ExpressionList)) => u(pListLen(L)) ... </k>
-        <last-instrumented> .K </last-instrumented>
     requires isKResult(L)
 
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
index c3a09d302..1a5f18329 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
 
@@ -57,6 +64,11 @@ endmodule
 module PROOF-PERFORM-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
index 5b2f7736b..d9ebf601d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-PROPOSER-3
   imports INVARIANT-EXECUTION
 
@@ -62,6 +69,11 @@ endmodule
 module PROOF-PERFORM-ADD-PROPOSER-3
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
index b5f426e1a..f13a67d84 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-PROPOSER-5
   imports INVARIANT-EXECUTION
 
@@ -62,6 +69,11 @@ endmodule
 module PROOF-PERFORM-ADD-PROPOSER-5
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
index 99676a1f8..33c0d46b6 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-PROPOSER-7
   imports INVARIANT-EXECUTION
 
@@ -62,6 +69,11 @@ endmodule
 module PROOF-PERFORM-ADD-PROPOSER-7
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
index a7dca9bea..e86ec6d82 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-PROPOSER-8
   imports INVARIANT-EXECUTION
 
@@ -61,6 +68,11 @@ endmodule
 module PROOF-PERFORM-ADD-PROPOSER-8
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
index 92ad8cbec..afec2fd1d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-ADD-PROPOSER-9
   imports INVARIANT-EXECUTION
 
@@ -58,6 +65,11 @@ endmodule
 module PROOF-PERFORM-ADD-PROPOSER-9
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
index 473b0baaa..bf63ddcdc 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-REMOVE-USER-1
   imports INVARIANT-EXECUTION
 
@@ -65,6 +72,11 @@ endmodule
 module PROOF-PERFORM-REMOVE-USER-1
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
index 92fb85a1e..ffd3539b5 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-REMOVE-USER-10
   imports INVARIANT-EXECUTION
 
@@ -60,6 +67,11 @@ endmodule
 module PROOF-PERFORM-REMOVE-USER-10
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
index 7c7b8c824..be8b0bdc4 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-REMOVE-USER-5
   imports INVARIANT-EXECUTION
 
@@ -66,6 +73,11 @@ endmodule
 module PROOF-PERFORM-REMOVE-USER-5
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
index b49fe8b1d..425c04119 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -1,3 +1,10 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-change-user-role-New.k"
+require "../functions/proof-change-user-role-None.k"
+require "../functions/proof-change-user-role-BoardMember.k"
+require "../functions/proof-change-user-role-Proposer.k"
+
 module TRUSTED-PERFORM-REMOVE-USER-9
   imports INVARIANT-EXECUTION
 
@@ -62,6 +69,11 @@ endmodule
 module PROOF-PERFORM-REMOVE-USER-9
   imports INVARIANT-EXECUTION
 
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+
   claim
       <T>
         performLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
index e13da234f..c5efc6395 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeAddBoardMember(_Member:Address);
@@ -47,8 +57,8 @@ module PROOF-PROPOSE-ADD-BOARD-MEMBER
         ActionLastIndex0:Usize,
         ActionData0:Map,
         ActionSigners0:Map,
-        expand(expand(expanded)))
-    ensures true /*invariant(
+        expand(expanded))
+    ensures invariant(
         NumUsers:Usize,
         UserIdToAddress:Map,
         AddressToUserId:Map,
@@ -59,5 +69,5 @@ module PROOF-PROPOSE-ADD-BOARD-MEMBER
         ?ActionLastIndex1:Usize,
         ?ActionData1:Map,
         ?ActionSigners1:Map,
-        usesExpanded)*/
+        usesExpanded)
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
index f64e49935..10aa581e4 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-ADD-PROPOSER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeAddProposer(_Member:Address);
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
index d5a147c4b..495a9718c 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-CHANGE-QUORUM
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeChangeQuorum(_Quorum:Usize);
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
index f73c11513..f31d7434c 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-REMOVE-USER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeRemoveUser(_Member:Address);
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
index a0695f574..3009b51da 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-SC-CALL
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeSCCall(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
index 2a758e215..6362050f3 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-SC-DEPLOY
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeSCDeploy(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
index f500f99af..340668c33 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
@@ -1,7 +1,17 @@
+require "../functions/functions-execute.k"
+
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-PROPOSE-SEND-EGLD
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run proposeSendEgld(_To:Address, _Amount:BigUint);
diff --git a/multisig/protocol-correctness/proof/invariant/proof-sign.k b/multisig/protocol-correctness/proof/invariant/proof-sign.k
index b757b0275..c2a0ea9c4 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-sign.k
@@ -1,7 +1,23 @@
+require "../functions/proof-sign-empty-action.k"
+require "../functions/proof-sign-caller-not-user.k"
+require "../functions/proof-sign-caller-none.k"
+require "../functions/proof-sign-caller-proposer.k"
+require "../functions/proof-sign-no-signers.k"
+require "../functions/proof-sign-existing-signers-in-list.k"
+require "../functions/proof-sign-existing-signers-not-in-list.k"
+
 module PROOF-SIGN
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-SIGN-EMPTY-ACTION
+  imports TRUSTED-SIGN-CALLER-NOT-USER
+  imports TRUSTED-SIGN-CALLER-NONE
+  imports TRUSTED-SIGN-CALLER-PROPOSER
+  imports TRUSTED-SIGN-NO-SIGNERS
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+
   claim <T><TT>
           <k> runExternalCalls(
                   (   from _:Address run sign(_ActionId:Usize);

From 007c7d504f466552bf544d9052239d7967a31ece Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 20:55:03 +0300
Subject: [PATCH 06/37] tmp

---
 .../proof/invariant/Makefile                     | 16 ++++++++++++++--
 .../proof/invariant/invariant.mak                |  3 ++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/multisig/protocol-correctness/proof/invariant/Makefile b/multisig/protocol-correctness/proof/invariant/Makefile
index 609d0bcf5..57dcdc9e7 100644
--- a/multisig/protocol-correctness/proof/invariant/Makefile
+++ b/multisig/protocol-correctness/proof/invariant/Makefile
@@ -6,15 +6,21 @@ default: all ;
 SCRIPT_DIR = ..
 
 PROOF_DIR = ..
-include ../proof-dependency.mak
+include $(PROOF_DIR)/proof-dependency.mak
+
+FUNCTIONS_DIR = ../functions
+include $(FUNCTIONS_DIR)/functions-dependency.mak
 
 INVARIANT_DIR = .
-include invariant.mak
+include $(INVARIANT_DIR)/invariant.mak
 
 INVARIANT_PERFORM = $(wildcard $(INVARIANT_DIR)/proof-perform-*.k)
 FINVARIANT_PERFORM = $(filter-out $(INVARIANT_DIR)/proof-perform-action-endpoint.k, $(INVARIANT_PERFORM))
 INVARIANT_PERFORM_TIMESTAMPS = $(addprefix $(INVARIANT_OUT_PREFIX),$(notdir ${FINVARIANT_PERFORM:.k=.timestamp}))
 
+INVARIANT_PROPOSE = $(wildcard $(INVARIANT_DIR)/proof-propose-*.k)
+INVARIANT_PROPOSE_TIMESTAMPS = $(addprefix $(INVARIANT_OUT_PREFIX),$(notdir ${INVARIANT_PROPOSE:.k=.timestamp}))
+
 .PHONY: all clean execution short perform
 
 all: $(INVARIANT_OUT_PREFIX)proof.timestamp
@@ -25,6 +31,8 @@ short: $(INVARIANT_OUT_PREFIX)short-proofs.timestamp
 
 perform: $(INVARIANT_OUT_PREFIX)proofperform.timestamp
 
+propose: $(INVARIANT_OUT_PREFIX)proofpropose.timestamp
+
 $(INVARIANT_OUT_PREFIX)short-proofs.timestamp: $(INVARIANT_OUT_PREFIX)proof-init-loop.timestamp $(INVARIANT_OUT_PREFIX)proof-count-can-sign.timestamp $(INVARIANT_OUT_PREFIX)proof-init.timestamp $(INVARIANT_OUT_PREFIX)proof-listlen.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-1.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-2.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-add-proposer-3.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-change-quorum.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-nothing.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-1.timestamp  $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-2.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-remove-user-5.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-s-c-call.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-s-c-deploy.timestamp $(INVARIANT_OUT_PREFIX)proof-perform-send-egld.timestamp $(INVARIANT_OUT_PREFIX)execution.timestamp
 	$(DIR_GUARD)
 	@touch $(INVARIANT_OUT_PREFIX)short-proof.timestamp
@@ -33,4 +41,8 @@ $(INVARIANT_OUT_PREFIX)proofperform.timestamp: ${INVARIANT_PERFORM_TIMESTAMPS} $
 	$(DIR_GUARD)
 	@touch $(INVARIANT_OUT_PREFIX)proofperform.timestamp
 
+$(INVARIANT_OUT_PREFIX)proofpropose.timestamp: ${INVARIANT_PROPOSE_TIMESTAMPS} $(INVARIANT_OUT_PREFIX)execution.timestamp
+       $(DIR_GUARD)
+       @touch $(INVARIANT_OUT_PREFIX)proofpropose.timestamp
+
 clean: invariant.clean
diff --git a/multisig/protocol-correctness/proof/invariant/invariant.mak b/multisig/protocol-correctness/proof/invariant/invariant.mak
index c1233f735..888f0c98b 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant.mak
+++ b/multisig/protocol-correctness/proof/invariant/invariant.mak
@@ -2,7 +2,7 @@ INVARIANT_OUT_PREFIX=out/invariant.
 
 INVARIANT_ALL := $(wildcard $(INVARIANT_DIR)/*.k)
 INVARIANT_PROOFS := $(wildcard $(INVARIANT_DIR)/proof-*.k)
-INVARIANT_EXECUTION := $(filter-out $(INVARIANT_PROOFS), $(INVARIANT_ALL)) $(PROOF_EXECUTION)
+INVARIANT_EXECUTION := $(filter-out $(INVARIANT_PROOFS), $(INVARIANT_ALL)) $(PROOF_EXECUTION) $(FUNCTIONS_EXECUTION)
 
 INVARIANT_PROOF_TIMESTAMPS := $(addprefix $(INVARIANT_OUT_PREFIX),$(notdir ${INVARIANT_PROOFS:.k=.timestamp}))
 INVARIANT_PROOF_DEBUGGERS := $(addprefix $(INVARIANT_OUT_PREFIX),${INVARIANT_PROOFS:.k=.debugger})
@@ -39,3 +39,4 @@ invariant.clean:
 	-rm -r .kprove-*
 	-rm kore-*.tar.gz
 	-rm $(INVARIANT_OUT_PREFIX)*
+	-rm *.log

From 0d3ebc058a00cf831cae56ca9bd71c829fb7a4d6 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 2 Apr 2021 17:01:07 +0300
Subject: [PATCH 07/37] tmp

---
 .../protocol-correctness/proof/execution-proof.k     |  1 +
 .../proof/functions/functions-execute.k              |  2 +-
 .../proof/functions/proof-sign-caller-proposer.k     |  2 +-
 .../functions/proof-sign-existing-signers-in-list.k  |  2 +-
 .../proof-sign-existing-signers-not-in-list.k        |  2 +-
 multisig/protocol-correctness/proof/invariant.k      |  2 +-
 .../protocol-correctness/proof/invariant/Makefile    |  4 ++--
 .../proof/invariant/init-loop-parts.k                |  3 ++-
 .../proof/invariant/invariant-execution.k            | 12 +++++++-----
 .../proof/invariant/proof-count-can-sign.k           |  2 +-
 multisig/protocol-correctness/proof/settings.mak     |  4 ++--
 11 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 1bd11a784..86b3e9dcf 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -538,6 +538,7 @@ module PROOF-INSTRUMENTATION
   syntax KItem ::= branchK(Bool, K, K)
   rule branchK(true, K:K, _:K) => K
   rule branchK(false, _:K, K:K) => K
+
 endmodule
 
 module EXECUTION-PROOF-BOOL
diff --git a/multisig/protocol-correctness/proof/functions/functions-execute.k b/multisig/protocol-correctness/proof/functions/functions-execute.k
index ea17859e3..f72c2f95e 100644
--- a/multisig/protocol-correctness/proof/functions/functions-execute.k
+++ b/multisig/protocol-correctness/proof/functions/functions-execute.k
@@ -7,7 +7,7 @@ endmodule
 module FUNCTIONS-INSTRUMENTATION
   imports PROOF-INSTRUMENTATION
 
-  rule  preCall 
+  rule  preCall
       ~> (.K => concretizeValue(Role))
       ~> call(canSign(Role:UserRole))
   [priority(20)]
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
index 547538fd8..1c8ddaf85 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
@@ -43,7 +43,7 @@ module TRUSTED-SIGN-CALLER-PROPOSER
       andBool notBool u(0) in_keys(UserIdToRole)
       andBool actionDataInvariant(ActionData)
       andBool userIdToRoleInvariant(UserIdToRole)
-      
+   
       andBool ActionId in_keys(ActionData)
       // andBool notBool ActionId in_keys(ActionSigners)
     ensures true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
index 506299a8e..97ece0bf3 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
@@ -96,7 +96,7 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
       andBool notBool u(0) in_keys(UserIdToRole)
       andBool actionDataInvariant(ActionData)
       andBool userIdToRoleInvariant(UserIdToRole)
-      
+   
       andBool ActionId in_keys(ActionData)
       andBool isKResult(Signers)
       andBool #listContains(Signers, UserId)
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
index c9aeed016..738f86f39 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
@@ -43,7 +43,7 @@ module TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
       andBool notBool u(0) in_keys(UserIdToRole)
       andBool actionDataInvariant(ActionData)
       andBool userIdToRoleInvariant(UserIdToRole)
-      
+   
       andBool ActionId in_keys(ActionData)
       andBool isKResult(Signers)
       andBool notBool #listContains([Signers], UserId)
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index a8b349457..31d33003e 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -237,7 +237,7 @@ module INVARIANT
             </actions>
           </action-state>
         </multisig-state>
-      
+   
   syntax Bool ::= invariant(
       numUsers:Usize,
       userIdToAddress:Map,
diff --git a/multisig/protocol-correctness/proof/invariant/Makefile b/multisig/protocol-correctness/proof/invariant/Makefile
index 57dcdc9e7..2858ff861 100644
--- a/multisig/protocol-correctness/proof/invariant/Makefile
+++ b/multisig/protocol-correctness/proof/invariant/Makefile
@@ -42,7 +42,7 @@ $(INVARIANT_OUT_PREFIX)proofperform.timestamp: ${INVARIANT_PERFORM_TIMESTAMPS} $
 	@touch $(INVARIANT_OUT_PREFIX)proofperform.timestamp
 
 $(INVARIANT_OUT_PREFIX)proofpropose.timestamp: ${INVARIANT_PROPOSE_TIMESTAMPS} $(INVARIANT_OUT_PREFIX)execution.timestamp
-       $(DIR_GUARD)
-       @touch $(INVARIANT_OUT_PREFIX)proofpropose.timestamp
+	$(DIR_GUARD)
+	@touch $(INVARIANT_OUT_PREFIX)proofpropose.timestamp
 
 clean: invariant.clean
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index 16206bc79..91cc11831 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -70,7 +70,6 @@ module INIT-LOOP-PARTS
               <stack> Stack </stack>
             </pseudocode-state>
             ExternalCallEnv
-
           </state>
         </TT>
 
@@ -216,6 +215,8 @@ module INIT-LOOP-PARTS
       andBool noReusedIndexValue(NumUsers +Int 1, AddressToUserId, Handling)
       andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
 
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), Handling)
+
       andBool userIdToRoleInvariant(UserIdToRole)
       // andBool valuesAreOfType(UserIdToRole, rUserRole)
       // andBool valuesAreKResult(UserIdToRole)
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index fafd20eb4..16d8407c9 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -56,7 +56,7 @@ endmodule
 
 module PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports PSEUDOCODE
- 
+
   syntax KItem ::= "splitting-action"
   rule  <k> pushContext ~> (.K => splitAction(A) ~> splitting-action) ~> call(performAction(A:Action))
         ...</k>
@@ -83,6 +83,7 @@ module PERFORM-SPLIT-ACTION-INSTRUMENTATION
           _Function:BoxedBytes,
           _Arguments:ExpressionList))
       => .K
+
 endmodule
 
 module PERFORM-ACTION-REMOVE-USER-INSTRUMENTATION
@@ -151,13 +152,14 @@ module PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
                         Arguments:ExpressionList)))
         ...</k>
     [priority(10)]
+
 endmodule
 
 module PERFORM-ACTION-ADD-PROPOSER-INSTRUMENTATION
   imports INVARIANT-INSTRUMENTATION
   imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports PSEUDOCODE
- 
+
   syntax KItem ::= splittingActionProposer1(Address)
   syntax KItem ::= splittingActionProposer2(Address)
 
@@ -251,7 +253,7 @@ module CHANGE-USER-ROLE-INSTRUMENTATION
   syntax KItem ::= splitChangeUserRole2(Address)
   syntax KItem ::= splitChangeUserRole3(Usize)
 
-  rule  preCall 
+  rule  preCall
         ~> (.K => splitChangeUserRole(UserAddress))
         ~> call(changeUserRole(UserAddress:Address, _NewRole:UserRole))
   [priority(20)]
@@ -302,7 +304,7 @@ module SIGN-INSTRUMENTATION
   syntax KItem ::= splitSign2(Usize)
   syntax KItem ::= splitSign3(Usize)
 
-  rule  preCall 
+  rule  preCall
         ~> (.K => splitSign(ActionId))
         ~> call(sign(ActionId:Usize))
   [priority(20)]
@@ -353,7 +355,7 @@ module SIGN-INSTRUMENTATION
         <action-signers>ActionSigners:Map</action-signers>
     requires CallerAddress in_keys(AddressToUserId)
       andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
- endmodule
+endmodule
 
 module INVARIANT-EXECUTION
   imports EXECUTION-PROOF
diff --git a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
index 34c9e48d2..bf61af377 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
@@ -41,7 +41,7 @@ module TRUSTED-COUNT-CAN-SIGN
             ExternalCallEnv)
     ensures
         countCanSignEnsures(
-            ?Count,
+            u(countCanSignFunction(SignerIds, opaque(UserIdToRole))),
             Users,
             NumBoardMembers,
             NumProposers,
diff --git a/multisig/protocol-correctness/proof/settings.mak b/multisig/protocol-correctness/proof/settings.mak
index 9ba6eb94f..85d65e2b2 100644
--- a/multisig/protocol-correctness/proof/settings.mak
+++ b/multisig/protocol-correctness/proof/settings.mak
@@ -1,5 +1,5 @@
 SHELL?=/bin/bash -euo pipefail
 
-BACKEND_COMMAND ?= "kore-exec --smt-timeout 200"
-DEBUG_COMMAND ?= "kore-repl --smt-timeout 200 --repl-script /home/virgil/runtime-verification/k/haskell-backend/src/main/native/haskell-backend/kore/data/kast.kscript"
+BACKEND_COMMAND ?= "kore-exec --smt-timeout 4000"
+DEBUG_COMMAND ?= "kore-repl --smt-timeout 4000 --repl-script /home/virgil/runtime-verification/k/haskell-backend/src/main/native/haskell-backend/kore/data/kast.kscript"
 DIR_GUARD ?= @mkdir -p $(@D)

From cb9c8edd3846066b39f852d39a4bc70ac01c86fe Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 2 Apr 2021 17:01:55 +0300
Subject: [PATCH 08/37] tmp

---
 multisig/protocol-correctness/.gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/multisig/protocol-correctness/.gitignore b/multisig/protocol-correctness/.gitignore
index 7fbb9620a..87f27b29b 100644
--- a/multisig/protocol-correctness/.gitignore
+++ b/multisig/protocol-correctness/.gitignore
@@ -3,3 +3,4 @@
 *.cmp
 .krun-*
 kore-*.tar.gz
+*.tar.gz

From 79478812e81124988d712210f6d08d64d618d028 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 2 Apr 2021 17:07:55 +0300
Subject: [PATCH 09/37] tmp

---
 multisig/protocol-correctness/pseudocode.k | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index 5d964e03b..deaae52e9 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -511,6 +511,8 @@ module PSEUDOCODE-FUNCTIONS
             => (pushContext ~> preCall ~> call(FunctionCall) ~> popContext ~> evaluateReturnValue)
         ...</k>
 
+  rule preCall => .K
+
   rule  <k> pushContext => .K ... </k>
         <state>
           S:MultisigStateCell

From 3787c76a10a3b7c2f5eca7318a294bbd3ddee0f2 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 16 Mar 2021 17:25:24 +0200
Subject: [PATCH 10/37] Map properties

---
 multisig/protocol-correctness/proof/Makefile  |  11 +-
 .../protocol-correctness/proof/map/Makefile   |  17 ++
 .../proof/map/map-execute.k                   | 195 ++++++++++++++++++
 .../protocol-correctness/proof/map/map.mak    |  41 ++++
 .../proof/map/proof-map-semantics.k           |  54 +++++
 5 files changed, 315 insertions(+), 3 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/map/Makefile
 create mode 100644 multisig/protocol-correctness/proof/map/map-execute.k
 create mode 100644 multisig/protocol-correctness/proof/map/map.mak
 create mode 100644 multisig/protocol-correctness/proof/map/proof-map-semantics.k

diff --git a/multisig/protocol-correctness/proof/Makefile b/multisig/protocol-correctness/proof/Makefile
index 2eede6065..00e8e351c 100644
--- a/multisig/protocol-correctness/proof/Makefile
+++ b/multisig/protocol-correctness/proof/Makefile
@@ -8,13 +8,18 @@ SCRIPT_DIR=.
 PROOF_DIR := .
 include proof-dependency.mak
 
+MAP_DIR := map
+include map/map.mak
+
 INVARIANT_DIR := invariant
 include invariant/invariant.mak
 
-.PHONY: all invariant clean
+.PHONY: all invariant map clean
 
-all: invariant
+all: invariant map
 
 invariant: $(INVARIANT_OUT_PREFIX)proof.timestamp
 
-clean: invariant.clean
+map: $(MAP_OUT_PREFIX)proof.timestamp
+
+clean: invariant.clean map.clean
diff --git a/multisig/protocol-correctness/proof/map/Makefile b/multisig/protocol-correctness/proof/map/Makefile
new file mode 100644
index 000000000..a0c7c98c0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/map/Makefile
@@ -0,0 +1,17 @@
+include ../settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR=..
+
+MAP_DIR := .
+include map.mak
+
+.PHONY: all clean execution
+
+all: out/map.proof.timestamp
+
+execution: out/map.execution.timestamp
+
+clean: map.clean
diff --git a/multisig/protocol-correctness/proof/map/map-execute.k b/multisig/protocol-correctness/proof/map/map-execute.k
new file mode 100644
index 000000000..e94b98b6c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/map/map-execute.k
@@ -0,0 +1,195 @@
+module MAP-EXECUTE-SYNTAX
+endmodule
+
+module MAP-EXECUTE
+  imports MAP
+  imports INT
+
+  // The Haskell backend does not send functions applied to things
+  // that can be bottom to the SMT solver, even if the side condition restricts
+  // the arguments to non-bottom things.
+  //
+  // A (K |-> V M:Map) map representation is bottom if `K in_keys(M)`, hence
+  // the function-based representation below. This means that whatever function
+  // is using these can manipulate them only through simplification rules.
+  syntax Map  ::= opaque(Map)  [function, functional]
+                | concat(key:KItem, value:KItem, Map)  [function, functional, no-evaluators]
+                | extractMap(Map)   [function, functional]
+  rule opaque(K:KItem |-> V:KItem M:Map) => concat(K, V, opaque(M))
+    ensures notBool K in_keys(M)
+    [simplification]
+  rule extractMap(opaque(M:Map)) => M
+    [simplification]
+  rule extractMap(concat(K:KItem, V:KItem, M:Map)) => K |-> V extractMap(M)
+    [simplification]
+
+  rule K:KItem in_keys(opaque(M)) => K in_keys(M)
+    [simplification]
+  rule K1:KItem in_keys(concat(K2:KItem, _:KItem, M:Map))
+      => K1 ==K K2 orBool K1 in_keys(M)
+    [simplification]
+
+  rule opaque(M:Map)[K:KItem] orDefault V:KItem => M[K] orDefault V
+    [simplification]
+  rule concat(K2:KItem, V2:KItem, _:Map)[K1:KItem] orDefault _:KItem
+      => V2
+    requires K1 ==K K2
+    [simplification(20)]
+  rule concat(K2:KItem, _:KItem, M:Map)[K1:KItem] orDefault V1:KItem
+      => M[K1] orDefault V1
+    requires notBool (K1 ==K K2)
+    [simplification(20)]
+  // TODO: Is this needed? Is this good?
+  rule concat(K2:KItem, V2:KItem, M:Map)[K1:KItem] orDefault V1:KItem
+      => extractMap(concat(K2:KItem, V2:KItem, M:Map))[K1:KItem] orDefault V1:KItem
+    requires K1 ==K K2
+    [simplification(50)]
+
+  rule opaque(M:Map)[K:KItem <- undef] => opaque(M[K <- undef])
+    [simplification]
+  rule concat(K2:KItem, _:KItem, M:Map)[K1:KItem <- undef] => M
+    requires K1 ==K K2
+    [simplification]
+  rule concat(K2:KItem, V2:KItem, M:Map)[K1:KItem <- undef]
+      => concat(K2, V2, M[K1 <- undef])
+    requires notBool (K1 ==K K2)
+    [simplification]
+
+  syntax MapElementProperty ::= "MEP.AlwaysFalse"
+                              | "MEP.AlwaysTrue"
+                              | "MEP.AnyProperty"
+                              | "MEP.IsValue" "(" KItem ")"
+  syntax Bool ::= applyMapElementProperty(
+          MapElementProperty,
+          key:KItem,
+          value:KItem
+      )  [function, functional]
+  syntax Bool ::= uninterpretedElementProperty(key:KItem, value:KItem)
+      [function, functional, no-evaluators]
+
+  rule applyMapElementProperty(MEP.AlwaysFalse, _:KItem, _:KItem) => false
+  rule applyMapElementProperty(MEP.AlwaysTrue, _:KItem, _:KItem) => true
+  rule applyMapElementProperty(MEP.AnyProperty, Key:KItem, Value:KItem)
+      => uninterpretedElementProperty(Key, Value)
+  rule applyMapElementProperty(MEP.IsValue(V:KItem), _Key:KItem, Value:KItem)
+      => V ==K Value
+
+  syntax Int ::= countMapElementProperty(
+          MapElementProperty,
+          key:KItem,
+          value:KItem
+      )  [function, functional]
+
+  rule countMapElementProperty(Property:MapElementProperty, Key:KItem, Value:KItem)
+      => 0
+    requires notBool applyMapElementProperty(Property, Key, Value)
+  rule countMapElementProperty(Property:MapElementProperty, Key:KItem, Value:KItem)
+      => 1
+    requires applyMapElementProperty(Property, Key, Value)
+
+  syntax Int ::= mapCount(Map, MapElementProperty)  [function, functional, smtlib(mapCount)]
+
+  // TODO: Use this everywhere
+  rule mapCount(.Map, _:MapElementProperty) => 0
+  rule mapCount(K:KItem |-> V:KItem M:Map, Property:MapElementProperty)
+      => countMapElementProperty(Property, K, V) +Int mapCount(M, Property)
+    [simplification]
+
+  rule mapCount(_:Map, _:MapElementProperty) >=Int 0 => true
+    [simplification, smt-lemma]
+
+  rule mapCount(M:Map, MEP.AlwaysTrue) >Int 0 => notBool (M ==K .Map)
+    [simplification]
+
+  syntax SelectPropertyIntermediateResult ::= found(key:KItem, value:KItem, Map)
+                                            | notFoundYet(inner:Map, MapElementProperty, checked:Map)
+  syntax KItem ::= lazyMapSelectProperty(Map, MapElementProperty)
+  syntax KItem ::= #lazyMapSelectProperty(result:SelectPropertyIntermediateResult)
+  syntax KItem ::= mapSelectPropertyAddBack(Map)
+  syntax KItem ::= "mapSelectPropertyEnd"
+
+  syntax KItem ::= findInnerMap(Map, MapElementProperty, SelectPropertyIntermediateResult)  [function, functional]
+  syntax KItem ::= #findInnerMap(Map, MapElementProperty, checked:Map, SelectPropertyIntermediateResult)  [function, functional]
+
+  rule lazyMapSelectProperty(M:Map, P:MapElementProperty)
+      => findInnerMap(M, P, ?Result:SelectPropertyIntermediateResult)
+      ~> #lazyMapSelectProperty(?Result)
+
+  rule #lazyMapSelectProperty(notFoundYet(Inner:Map, Property:MapElementProperty, Checked:Map))
+      => mapSelectProperty(Inner, Property) ~> mapSelectPropertyAddBack(Checked)
+  rule #lazyMapSelectProperty(found(Key:KItem, Value:KItem, M:Map)) => mapSelected(Key, Value, M)
+
+  rule mapSelected(Key:KItem, Value:KItem, M:Map) ~> mapSelectPropertyAddBack(N:Map)
+      => mapSelected(Key, Value, M N)
+  rule mapNotFound ~> mapSelectPropertyAddBack(_:Map)
+      => mapNotFound
+
+  rule mapSelectPropertyEnd => .K
+
+  rule findInnerMap(M:Map, P:MapElementProperty, Result:SelectPropertyIntermediateResult)
+      => #findInnerMap(M, P, .Map, Result)
+  rule #findInnerMap(K:KItem |-> V:KItem M:Map, P:MapElementProperty, Checked:Map, Result:SelectPropertyIntermediateResult)
+      => #findInnerMap(M, P, K |-> V Checked, Result)
+    requires notBool applyMapElementProperty(P, K, V)
+    [simplification(20)]
+  rule #findInnerMap(K:KItem |-> V:KItem M:Map, P:MapElementProperty, Checked:Map, Result:SelectPropertyIntermediateResult)
+      => mapSelectPropertyEnd
+    requires applyMapElementProperty(P, K, V)
+    ensures Result ==K found(K, V, iterateConcat(M, Checked))
+    [simplification(20)]
+  rule #findInnerMap(M:Map, P:MapElementProperty, Checked:Map, Result:SelectPropertyIntermediateResult)
+      => mapSelectPropertyEnd
+    ensures Result ==K notFoundYet(M, P, Checked)
+    [simplification(50)]
+
+  // TODO: Remove after https://github.com/kframework/kore/issues/2494 is fixed
+  syntax Map ::= iterateConcat(Map, Map)  [function]
+  rule iterateConcat(M:Map, .Map) => M
+  rule iterateConcat(M:Map, K:KItem |-> V:KItem N) => iterateConcat(K |-> V M, N)
+    requires notBool K in_keys(M)
+    ensures notBool K in_keys(N)
+    [simplification(20)]
+  rule iterateConcat(M, N) => M N
+    [simplification(50)]
+
+  syntax KItem ::= mapSelectProperty(Map, MapElementProperty)
+  syntax KItem ::= #mapSelectProperty(
+                      toProcess:Map, MapElementProperty, processed:Map)
+  syntax KItem ::= #mapSelectedProperty(
+                      key:KItem, value:KItem,
+                      toProcess:Map, MapElementProperty, processed:Map)
+
+  syntax KItem ::= mapSelected(key:KItem, value:KItem, Map)
+  syntax KItem ::= "mapNotFound"
+
+  rule mapSelectProperty(M:Map, Property:MapElementProperty)
+      => #mapSelectProperty(M, Property, .Map)
+
+  rule #mapSelectProperty(.Map, _:MapElementProperty, _:Map)
+      => mapNotFound
+  rule #mapSelectProperty(
+          M:Map,
+          Property:MapElementProperty,
+          Processed:Map)
+      => #mapSelectedProperty(?Key, ?Value, ?M, Property, Processed)
+    requires notBool (M ==K .Map)
+    ensures (M ==K (?Key:KItem |-> ?Value:KItem ?M:Map))
+
+  rule #mapSelectedProperty(
+          Key:KItem,
+          Value:KItem,
+          M:Map,
+          Property:MapElementProperty,
+          Processed:Map)
+      => mapSelected(Key, Value, M Processed)
+    requires applyMapElementProperty(Property, Key, Value)
+  rule #mapSelectedProperty(
+          Key:KItem,
+          Value:KItem,
+          M:Map,
+          Property:MapElementProperty,
+          Processed:Map)
+      => #mapSelectProperty(M, Property, Key |-> Value Processed)
+    requires notBool applyMapElementProperty(Property, Key, Value)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/map/map.mak b/multisig/protocol-correctness/proof/map/map.mak
new file mode 100644
index 000000000..8d7d044c2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/map/map.mak
@@ -0,0 +1,41 @@
+MAP_OUT_PREFIX=out/map.
+
+MAP_ALL := $(wildcard $(MAP_DIR)/*.k)
+MAP_PROOFS := $(wildcard $(MAP_DIR)/proof-*.k)
+MAP_EXECUTION := $(filter-out $(MAP_PROOFS), $(MAP_ALL))
+
+MAP_PROOF_TIMESTAMPS := $(addprefix $(MAP_OUT_PREFIX),$(notdir ${MAP_PROOFS:.k=.timestamp}))
+MAP_PROOF_DEBUGGERS := $(addprefix $(MAP_OUT_PREFIX),$(notdir ${MAP_PROOFS:.k=.debugger}))
+
+.PHONY: map.clean ${MAP_PROOF_DEBUGGERS}
+
+$(MAP_OUT_PREFIX)proof.timestamp: ${MAP_PROOF_TIMESTAMPS}
+	$(DIR_GUARD)
+	@touch $(MAP_OUT_PREFIX)proof.timestamp
+
+$(MAP_OUT_PREFIX)proof-%.timestamp: ${MAP_DIR}/proof-%.k $(MAP_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Proving $*..."
+	@cat /proc/uptime | sed 's/\s.*//' > $(MAP_OUT_PREFIX)proof-$*.duration.temp
+	@((kprove $< --directory $(MAP_DIR) --haskell-backend-command $(BACKEND_COMMAND) > $(MAP_OUT_PREFIX)proof-$*.out 2>&1) && echo "$* done") || (cat $(MAP_OUT_PREFIX)proof-$*.out; echo "$* failed"; echo "$*" >> $(MAP_OUT_PREFIX)failures; false)
+	@cat /proc/uptime | sed 's/\s.*//' >> $(MAP_OUT_PREFIX)proof-$*.duration.temp
+	@$(SCRIPT_DIR)/compute-duration.py $(MAP_OUT_PREFIX)proof-$*.duration.temp > $(MAP_OUT_PREFIX)proof-$*.duration
+	@rm $(MAP_OUT_PREFIX)proof-$*.duration.temp
+	@touch $(MAP_OUT_PREFIX)proof-$*.timestamp
+
+$(MAP_OUT_PREFIX)proof-%.debugger: ${MAP_DIR}/proof-%.k $(MAP_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Debugging $*..."
+	@kprove $< --directory $(MAP_DIR) --haskell-backend-command $(DEBUG_COMMAND)
+
+$(MAP_OUT_PREFIX)execution.timestamp: $(MAP_DIR)/map-execute.k $(MAP_EXECUTION)
+	$(DIR_GUARD)
+	@echo "Compiling execution..."
+	@kompile $< --backend haskell --directory $(MAP_DIR)
+	@touch $(MAP_OUT_PREFIX)execution.timestamp
+
+map.clean:
+	-rm -r $(MAP_DIR)/*-kompiled
+	-rm -r .kprove-*
+	-rm kore-*.tar.gz
+	-rm $(MAP_OUT_PREFIX)*
diff --git a/multisig/protocol-correctness/proof/map/proof-map-semantics.k b/multisig/protocol-correctness/proof/map/proof-map-semantics.k
new file mode 100644
index 000000000..0dd608909
--- /dev/null
+++ b/multisig/protocol-correctness/proof/map/proof-map-semantics.k
@@ -0,0 +1,54 @@
+module TRUSTED-MAP-SEMANTICS
+  imports MAP-EXECUTE
+
+  claim mapSelectProperty(M:Map, Property:MapElementProperty)
+      => mapSelected(?Key:KItem, ?Value:KItem, ?M:Map)
+    requires mapCount(M, Property) >Int 0
+    ensures applyMapElementProperty(Property, ?Key, ?Value)
+        andBool M ==K (?Key |-> ?Value ?M)
+    [trusted]
+
+  claim mapSelectProperty(M:Map, Property:MapElementProperty)
+      => mapNotFound
+    requires notBool (mapCount(M, Property) >Int 0)
+    [trusted]
+endmodule
+
+module PROOF-MAP-SEMANTICS
+  imports MAP-EXECUTE
+
+  claim mapSelectProperty(M:Map, Property:MapElementProperty)
+      => mapSelected(?Key:KItem, ?Value:KItem, ?M:Map)
+    requires mapCount(M, Property) >Int 0
+    ensures applyMapElementProperty(Property, ?Key, ?Value)
+        andBool M ==K (?Key |-> ?Value ?M)
+
+  claim mapSelectProperty(M:Map, Property:MapElementProperty)
+      => mapNotFound
+    requires notBool (mapCount(M, Property) >Int 0)
+
+  claim #mapSelectProperty(M:Map, Property:MapElementProperty, Processed:Map)
+      => mapSelected(?Key:KItem, ?Value:KItem, ?M:Map)
+    requires mapCount(M, Property) >Int 0
+    ensures applyMapElementProperty(Property, ?Key, ?Value)
+        andBool (?Key |-> ?Value ?M) ==K (M Processed)
+
+  claim #mapSelectProperty(M:Map, Property:MapElementProperty, _Processed:Map)
+      => mapNotFound
+    requires notBool (mapCount(M, Property) >Int 0)
+
+  claim lazyMapSelectProperty(M:Map, MEP.IsValue(2) #as Property:MapElementProperty)
+      => mapSelected(?Key:KItem, 2, ?N:Map)
+    requires mapCount(M, Property) >Int 0
+    ensures M ==K (?Key:KItem |-> 2 ?N)
+  claim lazyMapSelectProperty(M:Map, MEP.IsValue(2) #as Property:MapElementProperty)
+      => mapNotFound
+    requires notBool mapCount(M, Property) >Int 0
+
+  claim lazyMapSelectProperty(
+          (2|->2 N:Map) #as M:Map,
+          MEP.IsValue(2) #as Property:MapElementProperty)
+      => mapSelected(2, 2, N)
+    requires mapCount(M, Property) >Int 0
+
+endmodule
\ No newline at end of file

From 1d1031958f376beca70760d59770d27c0f27fb54 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 16 Mar 2021 17:26:08 +0200
Subject: [PATCH 11/37] Can always add and execute action

---
 multisig/protocol-correctness/proof/Makefile  |  11 +-
 .../proof/properties/Makefile                 |  26 +++
 .../proof-board-members-sign-for-2.k          | 151 +++++++++++++++
 .../proof-board-members-sign-for-3.k          | 151 +++++++++++++++
 .../properties/proof-board-members-sign-for.k | 150 +++++++++++++++
 .../proof-can-propose-and-execute.k           |  78 ++++++++
 .../proof/properties/properties-execute.k     | 180 ++++++++++++++++++
 .../proof/properties/properties.mak           |  41 ++++
 8 files changed, 785 insertions(+), 3 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/properties/Makefile
 create mode 100644 multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
 create mode 100644 multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
 create mode 100644 multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
 create mode 100644 multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
 create mode 100644 multisig/protocol-correctness/proof/properties/properties-execute.k
 create mode 100644 multisig/protocol-correctness/proof/properties/properties.mak

diff --git a/multisig/protocol-correctness/proof/Makefile b/multisig/protocol-correctness/proof/Makefile
index 00e8e351c..7e80ffa50 100644
--- a/multisig/protocol-correctness/proof/Makefile
+++ b/multisig/protocol-correctness/proof/Makefile
@@ -14,12 +14,17 @@ include map/map.mak
 INVARIANT_DIR := invariant
 include invariant/invariant.mak
 
-.PHONY: all invariant map clean
+PROPERTIES_DIR := properties
+include properties/properties.mak
 
-all: invariant map
+.PHONY: all invariant map properties clean
+
+all: invariant map properties
 
 invariant: $(INVARIANT_OUT_PREFIX)proof.timestamp
 
 map: $(MAP_OUT_PREFIX)proof.timestamp
 
-clean: invariant.clean map.clean
+properties: $(PROPERTIES_OUT_PREFIX)proof.timestamp
+
+clean: invariant.clean map.clean properties.clean
diff --git a/multisig/protocol-correctness/proof/properties/Makefile b/multisig/protocol-correctness/proof/properties/Makefile
new file mode 100644
index 000000000..6bce66294
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/Makefile
@@ -0,0 +1,26 @@
+include ../settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR=..
+
+PROOF_DIR := ..
+include ../proof-dependency.mak
+
+MAP_DIR := ../map
+include $(MAP_DIR)/map.mak
+
+INVARIANT_DIR := ../invariant
+include $(INVARIANT_DIR)/invariant.mak
+
+PROPERTIES_DIR := .
+include properties.mak
+
+.PHONY: all clean execution
+
+all: out/properties.proof.timestamp
+
+execution: out/properties.execution.timestamp
+
+clean: properties.clean
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
new file mode 100644
index 000000000..792e01b74
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
@@ -0,0 +1,151 @@
+require "../map/proof-map-semantics.k"
+
+module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool notBool ActionIndex in_keys(ActionSigners)
+        andBool countMapValues(PartialUserRoles, BoardMember) >Int 0
+
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            (ActionIndex |-> ?Signatures) ActionSigners,
+            usesExpanded)
+
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+    [trusted]
+endmodule
+
+module PROOF-BOARD-MEMBERS-SIGN-FOR-2
+  imports MAP-EXECUTE
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  imports TRUSTED-MAP-SEMANTICS
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool notBool ActionIndex in_keys(ActionSigners)
+        andBool countMapValues(PartialUserRoles, BoardMember) >Int 0
+
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            (ActionIndex |-> ?Signatures) ActionSigners,
+            usesExpanded)
+
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+endmodule
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
new file mode 100644
index 000000000..5e2853952
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
@@ -0,0 +1,151 @@
+require "../map/proof-map-semantics.k"
+
+module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool notBool ActionIndex in_keys(ActionSigners)
+        andBool countMapValues(PartialUserRoles, BoardMember) ==Int 0
+
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            (ActionIndex |-> ?Signatures) ActionSigners,
+            usesExpanded)
+
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+    [trusted]
+endmodule
+
+module PROOF-BOARD-MEMBERS-SIGN-FOR-3
+  imports MAP-EXECUTE
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  imports TRUSTED-MAP-SEMANTICS
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool notBool ActionIndex in_keys(ActionSigners)
+        andBool countMapValues(PartialUserRoles, BoardMember) ==Int 0
+
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            (ActionIndex |-> ?Signatures) ActionSigners,
+            usesExpanded)
+
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+endmodule
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
new file mode 100644
index 000000000..8094736b6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
@@ -0,0 +1,150 @@
+require "../map/proof-map-semantics.k"
+
+module TRUSTED-BOARD-MEMBERS-SIGN-FOR
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionIndex |-> ?Signatures ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionIndex |-> Signatures ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool noMapKeyInList(PartialUserRoles, Signatures)
+
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionIndex |-> ?Signatures ActionSigners,
+            usesExpanded)
+
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+                      +Int countCanSignFunction(Signatures, opaque(UserRoles))
+    [trusted]
+endmodule
+
+module PROOF-BOARD-MEMBERS-SIGN-FOR
+  imports MAP-EXECUTE
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+
+  imports TRUSTED-MAP-SEMANTICS
+
+  claim <T><TT>
+          <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
+              ~> K:K
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
+              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K:K </k>
+          invariantState(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionIndex |-> ?Signatures ActionSigners):StateCell
+        </TT></T>
+    requires invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionIndex |-> Signatures ActionSigners,
+            expand(expanded))
+
+        andBool newUserIdToRoleInvariant(PartialUserRoles, UserIdToAddress)
+        andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+        andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+        andBool mapIncluded(PartialUserRoles, UserRoles)
+        andBool valuesAreNotEmpty(ActionData, rAction)
+        andBool noMapKeyInList(PartialUserRoles, Signatures)
+    ensures invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionIndex |-> ?Signatures ActionSigners,
+            usesExpanded)
+        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
+                ==Int countMapValues(PartialUserRoles, BoardMember)
+                      +Int countCanSignFunction(Signatures, opaque(UserRoles))
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
new file mode 100644
index 000000000..ca8e8edf7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
@@ -0,0 +1,78 @@
+require "../invariant/proof-count-can-sign.k"
+require "../map/proof-map-semantics.k"
+require "proof-board-members-sign-for.k"
+require "proof-board-members-sign-for-2.k"
+require "proof-board-members-sign-for-3.k"
+
+module PROOF-CAN-PROPOSE-AND-EXECUTE
+  imports MAP-EXECUTE
+  imports PROPERTIES-EXECUTE
+  imports PSEUDOCODE
+  imports TRUSTED-BOARD-MEMBERS-SIGN-FOR
+  imports TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
+  imports TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
+
+  imports TRUSTED-COUNT-CAN-SIGN
+  imports TRUSTED-MAP-SEMANTICS
+
+  claim <T><TT>
+          <k> pickBoardMemberOrProposer(UserIdToRole)
+              ~> withPickedUserCall(proposeChangeQuorum(u(0)))
+              ~> allBoardMembersSignFor(add(ActionLastIndex, u(1)))
+              ~> pickBoardMemberOrProposer(UserIdToRole)
+              ~> withPickedUserCall(performActionEndpoint(add(ActionLastIndex, u(1))))
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> .K </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              u(0),
+              add(ActionLastIndex, u(1)),
+              ActionData:Map,
+              ActionSigners:Map):StateCell
+        </TT></T>
+    requires invariant(
+          NumUsers:Usize,
+          UserIdToAddress:Map,
+          AddressToUserId:Map,
+          NumBoardMembers:Usize,
+          NumProposers:Usize,
+          UserIdToRole:Map,
+          Quorum:Usize,
+          ActionLastIndex:Usize,
+          ActionData:Map,
+          ActionSigners:Map,
+          expand(expand(expanded)))
+      // TODO: Move everything below to the invariant.
+      andBool valuesAreOfType(UserIdToAddress, rAddress)
+      andBool valuesAreKResult(UserIdToAddress)
+
+      andBool newUserIdToRoleInvariant(UserIdToRole, UserIdToAddress)
+      andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+      andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
+
+      andBool valuesAreNotEmpty(ActionData, rAction)
+
+      andBool mapCount(UserIdToRole, MEP.IsValue(BoardMember))
+          +Int mapCount(UserIdToRole, MEP.IsValue(Proposer))
+          >Int 0
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/properties/properties-execute.k b/multisig/protocol-correctness/proof/properties/properties-execute.k
new file mode 100644
index 000000000..5ec4d9364
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/properties-execute.k
@@ -0,0 +1,180 @@
+require "../execution-proof.k"
+require "../invariant/invariant-execution.k"
+// TODO: Rename to map-execution
+require "../map/map-execute.k"
+
+module PROPERTIES-EXECUTE-SYNTAX
+  imports EXECUTION-PROOF-SYNTAX
+endmodule
+
+module PROPERTIES-EXECUTE
+  imports EXECUTION-PROOF
+  imports INVARIANT-EXECUTION
+  imports MAP-EXECUTE
+
+  syntax KItem ::= allBoardMembersSignFor(actionId:Usize)
+  syntax KItem ::= boardMembersSignFor(actionId:Usize, userRoles:Map)
+  syntax KItem ::= boardMembersSignForFreezer(actionId:Usize)
+  syntax KItem ::= #boardMembersSignFor(
+                      actionId:Usize,
+                      key:KItem,
+                      value:KItem,
+                      userRoles:Map)
+  syntax KItem ::= signFor(actionId:Usize, userId:KItem)
+  syntax KItem ::= #signFor(actionId:Usize, userId:KItem)
+  syntax KItem ::= lazyCastMapValue(key:KItem, Map, ReflectionType)
+  syntax KItem ::= castMapValue(key:KItem, Map, ReflectionType)  [function, functional]
+  syntax KItem ::= castValue(value:KItem, ReflectionType)
+
+  rule  <k> allBoardMembersSignFor(ActionId:Usize)
+            => boardMembersSignFor(ActionId, UserIdToRole)
+        ...</k>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <action-signers> ActionSigners:Map </action-signers>
+    requires notBool (ActionId in_keys(ActionSigners))
+
+  rule  <k> allBoardMembersSignFor(ActionId:Usize)
+            => boardMembersSignFor(ActionId, UserIdToRole)
+        ...</k>
+        <user-roles> UserId |-> BoardMember UserIdToRole:Map </user-roles>
+        <action-signers> ActionId |-> [UserId:Usize, .] _ActionSigners:Map </action-signers>
+
+  rule  boardMembersSignFor(_ActionId:Usize, .Map) => .K
+  rule  boardMembersSignFor(ActionId:Usize, UserIdToRole:Map)
+        =>  (  lazyMapSelectProperty(UserIdToRole, MEP.AlwaysTrue)
+            ~> boardMembersSignForFreezer(ActionId)
+            )
+    requires notBool (UserIdToRole ==K .Map)
+
+  rule  (  mapSelected(Key:KItem, Value:KItem, UserIdToRole:Map)
+        ~> boardMembersSignForFreezer(ActionId:Usize)
+        )
+        => #boardMembersSignFor(ActionId, Key, Value, UserIdToRole)
+
+  rule  #boardMembersSignFor(
+            ActionId:Usize,
+            UserId:KItem,
+            V:KItem,
+            UserIdToRole:Map)
+        =>  (  cast(V, rUserRole)
+            ~> removeValue
+            ~> splitBoolean(V ==K BoardMember)
+            ~>  branchK(
+                  V ==K BoardMember,
+                  cast(UserId, rUsize)
+                    ~> removeValue
+                    ~> signFor(ActionId, UserId)
+                    ~> boardMembersSignFor(ActionId, UserIdToRole),
+                    boardMembersSignFor(ActionId, UserIdToRole)
+                )
+            )
+
+  rule  <k> signFor(ActionId:Usize, UserId:KItem)
+            =>  (  splitMap(UserId, UserIdToAddress, ?_Address:KItem, ?_UserIdToAddressRemainder:Map)
+                ~> lazyCastMapValue(UserId, UserIdToAddress, rAddress)
+                ~> #signFor(ActionId, UserId)
+                )
+        ...</k>
+        <user-id-to-address> UserIdToAddress:Map </user-id-to-address>
+
+  rule  <k> #signFor(ActionId:Usize, UserId:KItem)
+            => runExternalCall(from Address run sign(ActionId);)
+        ...</k>
+        <user-id-to-address> UserId |-> Address:Address _UserIdToAddress:Map </user-id-to-address>
+
+  rule lazyCastMapValue(Key:KItem, M:Map, Type:ReflectionType)
+      => castMapValue(Key, M, Type)
+
+  rule castMapValue(Key:KItem, M:Map, _Type:ReflectionType) => stuck
+    requires notBool Key in_keys(M)
+  rule castMapValue(Key:KItem, (K:KItem |-> Value:KItem) _:Map, Type:ReflectionType)
+      => castValue(Value, Type)
+    requires Key ==K K
+    [simplification]
+  rule castValue(Value:KItem, Type:ReflectionType)
+      => cast(Value, Type) ~> removeValue
+
+  syntax KItem ::= pickBoardMemberOrProposer(Map)
+
+  rule pickBoardMemberOrProposer(M:Map)
+      => splitBoolean(mapCount(M, MEP.IsValue(BoardMember)) >Int 0)
+        ~> branchK(
+            mapCount(M, MEP.IsValue(BoardMember)) >Int 0,
+            lazyMapSelectProperty(M, MEP.IsValue(BoardMember)),
+            splitBoolean(mapCount(M, MEP.IsValue(Proposer)) >Int 0)
+              ~> branchK(
+                  mapCount(M, MEP.IsValue(Proposer)) >Int 0,
+                  lazyMapSelectProperty(M, MEP.IsValue(Proposer)),
+                  stuck
+              )
+        )
+
+  syntax KItem ::= withPickedUserCall(EndpointCall)
+
+  rule  <k>
+          ( mapSelected(UserId:KItem, _UserRole:KItem, _Remainder:Map)
+            => nullableMapLookup(UserId, UserIdToAddress, rAddress)
+          )
+          ~> withPickedUserCall(_:EndpointCall)
+        ...</k>
+        <user-id-to-address> UserIdToAddress:Map </user-id-to-address>
+  rule  (  Address:Address
+        ~> withPickedUserCall(Call:EndpointCall)
+        )
+      => runExternalCall(from Address run Call;)
+
+  ////////////////////////////////////////
+
+  syntax Bool ::= allKeysBecomeKeys(Map, Map)  [function, functional]
+
+  rule allKeysBecomeKeys(.Map, _:Map) => true
+  rule allKeysBecomeKeys(K:KItem |-> _:KItem M:Map, N:Map)
+      => K in_keys(N) andBool allKeysBecomeKeys(M, N)
+    [simplification]
+  rule allKeysBecomeKeys(M:Map, _:KItem |-> _:KItem N:Map) => true
+    requires allKeysBecomeKeys(M, N)
+    [simplification]
+
+// TODO: Move to the execution module.
+
+  // TODO: Make this the main invariant
+  syntax Bool ::= newUserIdToRoleInvariant(userIdToRole:Map, userIdToAddress:Map)
+    [function, functional]
+
+  rule newUserIdToRoleInvariant(.Map, _:Map) => true
+
+  rule newUserIdToRoleInvariant(K:KItem |-> V:KItem UserIdToRole:Map, UserIdToAddress:Map)
+    => true
+      andBool valueOfType(V, rUserRole)  // valuesAreOfType(UserIdToRole, rUserRole)
+      andBool isKResult(V)  // valuesAreKResult(UserIdToRole)
+      andBool valueIsNotEmpty(V, rUserRole)  // valuesAreNotEmpty(UserIdToRole, rUserRole)
+      andBool valueOfType(K, rUsize)  // keysAreOfType(UserIdToRole, rUsize)
+      andBool isKResult(K)  // keysAreKResult(UserIdToRole)
+      andBool K in_keys(UserIdToAddress)  // allKeysBecomeKeys(UserIdToRole, UserIdToAddress)
+
+      andBool newUserIdToRoleInvariant(UserIdToRole, UserIdToAddress)
+    [simplification]
+
+  syntax Bool ::= userIdToAddressInvariant(userIdToAddress:Map, addressToUserId:Map)
+    [function, functional]
+
+  rule userIdToAddressInvariant(.Map, _:Map) => true
+
+  rule userIdToAddressInvariant(K:KItem |-> V:KItem UserIdToAddress:Map, AddressToUserId:Map)
+    => true
+      andBool valueOfType(V, rAddress)  // valuesAreOfType(UserIdToAddress, rAddress)
+      andBool isKResult(V)  // valuesAreKResult(UserIdToAddress)
+      andBool valueIsNotEmpty(V, rAddress)  // valuesAreNotEmpty(UserIdToAddress, rAddress)
+      andBool V in_keys(AddressToUserId) andBool AddressToUserId[V] ==K K  // mapsAreReverseHalf(UserIdToAddress, AddressToUserId)
+
+      andBool userIdToAddressInvariant(UserIdToAddress, AddressToUserId)
+    [simplification]
+
+  rule A:Int <=Int countCanSignFunction(L:ExpressionList, K:KItem |-> BoardMember M:Map) => true
+    requires true
+        andBool A <=Int countMapValues(M, BoardMember) +Int 1
+        andBool countMapValues(M, BoardMember) +Int 1
+                ==K countCanSignFunction(L:ExpressionList, K |-> BoardMember M:Map)
+    [simplification]
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/properties/properties.mak b/multisig/protocol-correctness/proof/properties/properties.mak
new file mode 100644
index 000000000..69abd3f70
--- /dev/null
+++ b/multisig/protocol-correctness/proof/properties/properties.mak
@@ -0,0 +1,41 @@
+PROPERTIES_OUT_PREFIX=out/properties.
+
+PROPERTIES_ALL := $(wildcard $(PROPERTIES_DIR)/*.k)
+PROPERTIES_PROOFS := $(wildcard $(PROPERTIES_DIR)/proof-*.k)
+PROPERTIES_EXECUTION := $(filter-out $(PROPERTIES_PROOFS), $(PROPERTIES_ALL)) $(PROOF_EXECUTION) $(MAP_EXECUTION) $(INVARIANT_EXECUTION)
+
+PROPERTIES_PROOF_TIMESTAMPS := $(addprefix $(PROPERTIES_OUT_PREFIX),$(notdir ${PROPERTIES_PROOFS:.k=.timestamp}))
+PROPERTIES_PROOF_DEBUGGERS := $(addprefix $(PROPERTIES_OUT_PREFIX),$(notdir ${PROPERTIES_PROOFS:.k=.debugger}))
+
+.PHONY: properties.clean ${PROPERTIES_PROOF_DEBUGGERS}
+
+$(PROPERTIES_OUT_PREFIX)proof.timestamp: ${PROPERTIES_PROOF_TIMESTAMPS}
+	$(DIR_GUARD)
+	@touch $(PROPERTIES_OUT_PREFIX)proof.timestamp
+
+$(PROPERTIES_OUT_PREFIX)proof-%.timestamp: ${PROPERTIES_DIR}/proof-%.k $(PROPERTIES_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Proving $*..."
+	@cat /proc/uptime | sed 's/\s.*//' > $(PROPERTIES_OUT_PREFIX)proof-$*.duration.temp
+	@((kprove $< --directory $(PROPERTIES_DIR) --haskell-backend-command $(BACKEND_COMMAND) > $(PROPERTIES_OUT_PREFIX)proof-$*.out 2>&1) && echo "$* done") || (cat $(PROPERTIES_OUT_PREFIX)proof-$*.out; echo "$* failed"; echo "$*" >> $(PROPERTIES_OUT_PREFIX)failures; false)
+	@cat /proc/uptime | sed 's/\s.*//' >> $(PROPERTIES_OUT_PREFIX)proof-$*.duration.temp
+	@$(SCRIPT_DIR)/compute-duration.py $(PROPERTIES_OUT_PREFIX)proof-$*.duration.temp > $(PROPERTIES_OUT_PREFIX)proof-$*.duration
+	@rm $(PROPERTIES_OUT_PREFIX)proof-$*.duration.temp
+	@touch $(PROPERTIES_OUT_PREFIX)proof-$*.timestamp
+
+$(PROPERTIES_OUT_PREFIX)proof-%.debugger: ${PROPERTIES_DIR}/proof-%.k $(PROPERTIES_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Debugging $*..."
+	@kprove $< --directory $(PROPERTIES_DIR) --haskell-backend-command $(DEBUG_COMMAND)
+
+$(PROPERTIES_OUT_PREFIX)execution.timestamp: $(PROPERTIES_DIR)/properties-execute.k $(PROPERTIES_EXECUTION)
+	$(DIR_GUARD)
+	@echo "Compiling execution..."
+	@kompile $< --backend haskell --directory $(PROPERTIES_DIR)
+	@touch $(PROPERTIES_OUT_PREFIX)execution.timestamp
+
+properties.clean:
+	-rm -r $(PROPERTIES_DIR)/*-kompiled
+	-rm -r .kprove-*
+	-rm kore-*.tar.gz
+	-rm $(PROPERTIES_OUT_PREFIX)*

From 36c0e83694b1c84637494c64994a319a4000fab6 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 11:06:30 +0300
Subject: [PATCH 12/37] Fix sign-for proofs.

---
 .../proof-board-members-sign-for-2.k          |  5 ++++
 .../proof-board-members-sign-for-3.k          | 26 ++++++-------------
 .../properties/proof-board-members-sign-for.k |  1 +
 3 files changed, 14 insertions(+), 18 deletions(-)

diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
index 792e01b74..da997899e 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
@@ -1,5 +1,7 @@
 require "../map/proof-map-semantics.k"
 
+require "proof-board-members-sign-for.k"
+
 module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
   imports PROPERTIES-EXECUTE
   imports PSEUDOCODE
@@ -53,6 +55,7 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
         andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
         andBool mapIncluded(PartialUserRoles, UserRoles)
         andBool valuesAreNotEmpty(ActionData, rAction)
+
         andBool notBool ActionIndex in_keys(ActionSigners)
         andBool countMapValues(PartialUserRoles, BoardMember) >Int 0
 
@@ -81,6 +84,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-2
 
   imports TRUSTED-MAP-SEMANTICS
 
+  imports TRUSTED-BOARD-MEMBERS-SIGN-FOR
+
   claim <T><TT>
           <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
               ~> K:K
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
index 5e2853952..cea48c61b 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
@@ -53,8 +53,10 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
         andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
         andBool mapIncluded(PartialUserRoles, UserRoles)
         andBool valuesAreNotEmpty(ActionData, rAction)
+
         andBool notBool ActionIndex in_keys(ActionSigners)
-        andBool countMapValues(PartialUserRoles, BoardMember) ==Int 0
+        andBool countMapValues(PartialUserRoles, BoardMember) <=Int 0
+        andBool notBool (PartialUserRoles ==K .Map)
 
     ensures invariant(
             NumUsers,
@@ -110,7 +112,7 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-3
               Quorum,
               ActionLastIndex,
               ActionData,
-              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+              ActionSigners):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
@@ -130,22 +132,10 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-3
         andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
         andBool mapIncluded(PartialUserRoles, UserRoles)
         andBool valuesAreNotEmpty(ActionData, rAction)
-        andBool notBool ActionIndex in_keys(ActionSigners)
-        andBool countMapValues(PartialUserRoles, BoardMember) ==Int 0
 
-    ensures invariant(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserRoles,
-            Quorum,
-            ActionLastIndex,
-            ActionData,
-            (ActionIndex |-> ?Signatures) ActionSigners,
-            usesExpanded)
+        andBool notBool ActionIndex in_keys(ActionSigners)
+        andBool countMapValues(PartialUserRoles, BoardMember) <=Int 0
+        andBool notBool (PartialUserRoles ==K .Map)
 
-        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
-                ==Int countMapValues(PartialUserRoles, BoardMember)
+    ensures 0 ==Int countMapValues(PartialUserRoles, BoardMember)
 endmodule
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
index 8094736b6..64485b851 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
@@ -53,6 +53,7 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR
         andBool mapsAreReverse(AddressToUserId, UserIdToAddress)
         andBool mapIncluded(PartialUserRoles, UserRoles)
         andBool valuesAreNotEmpty(ActionData, rAction)
+
         andBool noMapKeyInList(PartialUserRoles, Signatures)
 
     ensures invariant(

From c23dec2e44e5b1cbe44ed6d2cb8d58031e9ce2b8 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 20:50:00 +0300
Subject: [PATCH 13/37] tmp

---
 .../proof-board-members-sign-for-3.k           | 18 ++----------------
 1 file changed, 2 insertions(+), 16 deletions(-)

diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
index cea48c61b..bf33f120d 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
@@ -33,7 +33,7 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
               Quorum,
               ActionLastIndex,
               ActionData,
-              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+              ActionSigners):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
@@ -58,21 +58,7 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
         andBool countMapValues(PartialUserRoles, BoardMember) <=Int 0
         andBool notBool (PartialUserRoles ==K .Map)
 
-    ensures invariant(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserRoles,
-            Quorum,
-            ActionLastIndex,
-            ActionData,
-            (ActionIndex |-> ?Signatures) ActionSigners,
-            usesExpanded)
-
-        andBool countCanSignFunction(?Signatures, opaque(UserRoles))
-                ==Int countMapValues(PartialUserRoles, BoardMember)
+    ensures 0 ==Int countMapValues(PartialUserRoles, BoardMember)
     [trusted]
 endmodule
 

From fdf245950ea9d4a7735a3311c489da15f6fb1256 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 1 Apr 2021 20:52:18 +0300
Subject: [PATCH 14/37] tmp

---
 multisig/protocol-correctness/proof/Makefile | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/multisig/protocol-correctness/proof/Makefile b/multisig/protocol-correctness/proof/Makefile
index 7e80ffa50..305a191af 100644
--- a/multisig/protocol-correctness/proof/Makefile
+++ b/multisig/protocol-correctness/proof/Makefile
@@ -11,15 +11,20 @@ include proof-dependency.mak
 MAP_DIR := map
 include map/map.mak
 
+FUNCTIONS_DIR := functions
+include functions/functions.mak
+
 INVARIANT_DIR := invariant
 include invariant/invariant.mak
 
 PROPERTIES_DIR := properties
 include properties/properties.mak
 
-.PHONY: all invariant map properties clean
+.PHONY: all functions invariant map properties clean
+
+all: functions invariant map properties
 
-all: invariant map properties
+functions: $(FUNCTIONS_OUT_PREFIX)proof.timestamp
 
 invariant: $(INVARIANT_OUT_PREFIX)proof.timestamp
 
@@ -27,4 +32,6 @@ map: $(MAP_OUT_PREFIX)proof.timestamp
 
 properties: $(PROPERTIES_OUT_PREFIX)proof.timestamp
 
-clean: invariant.clean map.clean properties.clean
+clean: functions.clean invariant.clean map.clean properties.clean
+	rm -r *-kompiled
+	rm -r out

From 24a742393583b84301456b2cf146ad98cd044e89 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 6 Apr 2021 00:44:38 +0300
Subject: [PATCH 15/37] tmp

---
 .../properties/proof-board-members-sign-for-2.k  | 16 ++++++++++++++++
 .../properties/proof-board-members-sign-for.k    | 16 ++++++++++++++++
 .../properties/proof-can-propose-and-execute.k   |  9 +++++++++
 .../proof/properties/properties-execute.k        | 13 ++++++-------
 4 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
index da997899e..d44bc0851 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
@@ -1,5 +1,13 @@
 require "../map/proof-map-semantics.k"
 
+require "../functions/proof-sign-empty-action.k"
+require "../functions/proof-sign-caller-not-user.k"
+require "../functions/proof-sign-caller-none.k"
+require "../functions/proof-sign-caller-proposer.k"
+require "../functions/proof-sign-no-signers.k"
+require "../functions/proof-sign-existing-signers-in-list.k"
+require "../functions/proof-sign-existing-signers-not-in-list.k"
+
 require "proof-board-members-sign-for.k"
 
 module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
@@ -86,6 +94,14 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-2
 
   imports TRUSTED-BOARD-MEMBERS-SIGN-FOR
 
+  imports TRUSTED-SIGN-EMPTY-ACTION
+  imports TRUSTED-SIGN-CALLER-NOT-USER
+  imports TRUSTED-SIGN-CALLER-NONE
+  imports TRUSTED-SIGN-CALLER-PROPOSER
+  imports TRUSTED-SIGN-NO-SIGNERS
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+
   claim <T><TT>
           <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
               ~> K:K
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
index 64485b851..b59211c92 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
@@ -1,5 +1,13 @@
 require "../map/proof-map-semantics.k"
 
+require "../functions/proof-sign-empty-action.k"
+require "../functions/proof-sign-caller-not-user.k"
+require "../functions/proof-sign-caller-none.k"
+require "../functions/proof-sign-caller-proposer.k"
+require "../functions/proof-sign-no-signers.k"
+require "../functions/proof-sign-existing-signers-in-list.k"
+require "../functions/proof-sign-existing-signers-not-in-list.k"
+
 module TRUSTED-BOARD-MEMBERS-SIGN-FOR
   imports PROPERTIES-EXECUTE
   imports PSEUDOCODE
@@ -82,6 +90,14 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR
 
   imports TRUSTED-MAP-SEMANTICS
 
+  imports TRUSTED-SIGN-EMPTY-ACTION
+  imports TRUSTED-SIGN-CALLER-NOT-USER
+  imports TRUSTED-SIGN-CALLER-NONE
+  imports TRUSTED-SIGN-CALLER-PROPOSER
+  imports TRUSTED-SIGN-NO-SIGNERS
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
+  imports TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+
   claim <T><TT>
           <k> boardMembersSignFor(ActionIndex:Usize, PartialUserRoles:Map)
               ~> K:K
diff --git a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
index ca8e8edf7..56f615e14 100644
--- a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
+++ b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
@@ -4,10 +4,15 @@ require "proof-board-members-sign-for.k"
 require "proof-board-members-sign-for-2.k"
 require "proof-board-members-sign-for-3.k"
 
+require "../functions/proof-propose-action-BoardMember.k"
+require "../functions/proof-propose-action-Proposer.k"
+require "../functions/proof-propose-action-error.k"
+
 module PROOF-CAN-PROPOSE-AND-EXECUTE
   imports MAP-EXECUTE
   imports PROPERTIES-EXECUTE
   imports PSEUDOCODE
+
   imports TRUSTED-BOARD-MEMBERS-SIGN-FOR
   imports TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
   imports TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
@@ -15,6 +20,10 @@ module PROOF-CAN-PROPOSE-AND-EXECUTE
   imports TRUSTED-COUNT-CAN-SIGN
   imports TRUSTED-MAP-SEMANTICS
 
+  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+
   claim <T><TT>
           <k> pickBoardMemberOrProposer(UserIdToRole)
               ~> withPickedUserCall(proposeChangeQuorum(u(0)))
diff --git a/multisig/protocol-correctness/proof/properties/properties-execute.k b/multisig/protocol-correctness/proof/properties/properties-execute.k
index 5ec4d9364..3060faef9 100644
--- a/multisig/protocol-correctness/proof/properties/properties-execute.k
+++ b/multisig/protocol-correctness/proof/properties/properties-execute.k
@@ -56,22 +56,21 @@ module PROPERTIES-EXECUTE
             UserId:KItem,
             V:KItem,
             UserIdToRole:Map)
-        =>  (  cast(V, rUserRole)
-            ~> removeValue
-            ~> splitBoolean(V ==K BoardMember)
+        =>  (   cast(V, rUserRole)
+            ~>  removeValue
+            ~>  concretizeValue(V)
             ~>  branchK(
                   V ==K BoardMember,
                   cast(UserId, rUsize)
                     ~> removeValue
                     ~> signFor(ActionId, UserId)
                     ~> boardMembersSignFor(ActionId, UserIdToRole),
-                    boardMembersSignFor(ActionId, UserIdToRole)
+                  boardMembersSignFor(ActionId, UserIdToRole)
                 )
             )
 
   rule  <k> signFor(ActionId:Usize, UserId:KItem)
-            =>  (  splitMap(UserId, UserIdToAddress, ?_Address:KItem, ?_UserIdToAddressRemainder:Map)
-                ~> lazyCastMapValue(UserId, UserIdToAddress, rAddress)
+            =>  (  makeConcreteValue(UserId, rAddress, UserIdToAddress)
                 ~> #signFor(ActionId, UserId)
                 )
         ...</k>
@@ -121,7 +120,7 @@ module PROPERTIES-EXECUTE
   rule  (  Address:Address
         ~> withPickedUserCall(Call:EndpointCall)
         )
-      => runExternalCall(from Address run Call;)
+      => concretizeValue(Address) ~> runExternalCall(from Address run Call;)
 
   ////////////////////////////////////////
 

From d0e08b73fb5793d7d3af6c372d7c4fe5faa147e9 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Wed, 7 Apr 2021 18:45:17 +0300
Subject: [PATCH 16/37] Speed refactoring

---
 .../protocol-correctness/proof/.gitignore     |   2 +
 .../proof/execution-proof.k                   |   7 +
 .../proof/functions/functions-execute.k       |  54 +++
 .../proof/functions/functions.mak             |  37 +-
 .../proof-change-user-role-BoardMember.k      |  63 +--
 .../functions/proof-change-user-role-New.k    |  69 +---
 .../functions/proof-change-user-role-None.k   |  65 +---
 .../proof-change-user-role-Proposer.k         |  63 +--
 .../proof-propose-action-BoardMember.k        |  78 +---
 .../functions/proof-propose-action-Proposer.k |  78 +---
 .../proof-propose-action-error-no-role.k      |  70 ++++
 .../proof-propose-action-error-no-user.k      |  70 ++++
 .../functions/proof-propose-action-error.k    | 116 ------
 .../proof-propose-sc-deploy-BoardMember.k     | 102 +++++
 .../proof-propose-sc-deploy-Proposer.k        |  96 +++++
 .../proof-propose-sc-deploy-error-no-role.k   |  90 +++++
 .../proof-propose-sc-deploy-error-no-user.k   |  90 +++++
 .../proof-propose-sc-deploy-fragment.k        |  77 ++++
 .../proof/functions/proof-sign-caller-none.k  |  67 +---
 .../functions/proof-sign-caller-not-user.k    |  67 +---
 .../functions/proof-sign-caller-proposer.k    |  68 +---
 .../proof/functions/proof-sign-empty-action.k |  63 +--
 .../proof-sign-existing-signers-in-list.k     |  69 +---
 .../proof-sign-existing-signers-not-in-list.k |  69 +---
 .../proof/functions/proof-sign-no-signers.k   |  69 +---
 .../proof/invariant/invariant-execution.k     | 142 +++----
 .../proof/invariant/invariant.mak             |   2 +-
 .../proof/invariant/proof-perform-action.k    | 332 ++++++++++++----
 .../proof-perform-add-board-member.k          |   8 +-
 .../invariant/proof-perform-add-proposer-3.k  |   8 +-
 .../invariant/proof-perform-add-proposer-5.k  |   8 +-
 .../invariant/proof-perform-add-proposer-7.k  |   8 +-
 .../invariant/proof-perform-add-proposer-8.k  |   8 +-
 .../invariant/proof-perform-add-proposer-9.k  |   8 +-
 .../invariant/proof-perform-remove-user-1.k   |   8 +-
 .../invariant/proof-perform-remove-user-10.k  |   8 +-
 .../invariant/proof-perform-remove-user-5.k   |   8 +-
 .../invariant/proof-perform-remove-user-9.k   |   8 +-
 .../proof-propose-add-board-member.k          |  10 +-
 .../invariant/proof-propose-add-proposer.k    |  10 +-
 .../invariant/proof-propose-change-quorum.k   |  10 +-
 .../invariant/proof-propose-remove-user.k     |  10 +-
 .../proof/invariant/proof-propose-sc-call.k   |  10 +-
 .../proof/invariant/proof-propose-sc-deploy.k |  14 +-
 .../proof/invariant/proof-propose-send-egld.k |  10 +-
 .../proof/invariant/proof-sign.k              |  14 +-
 .../proof/make-trusted.py                     |  65 ++++
 .../protocol-correctness/proof/map/Makefile   |   4 +-
 .../protocol-correctness/proof/map/map.mak    |   2 +-
 .../proof/properties/Makefile                 |   4 +-
 .../proof-board-members-sign-for-2.k          |  14 +-
 .../properties/proof-board-members-sign-for.k |  14 +-
 .../proof-can-propose-and-execute.k           |  10 +-
 .../proof/properties/properties.mak           |   2 +-
 .../proof/trusted-deps.py                     | 359 ++++++++++++++++++
 55 files changed, 1741 insertions(+), 1076 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
 create mode 100755 multisig/protocol-correctness/proof/make-trusted.py
 create mode 100755 multisig/protocol-correctness/proof/trusted-deps.py

diff --git a/multisig/protocol-correctness/proof/.gitignore b/multisig/protocol-correctness/proof/.gitignore
index 841e28283..d973ef30c 100644
--- a/multisig/protocol-correctness/proof/.gitignore
+++ b/multisig/protocol-correctness/proof/.gitignore
@@ -5,3 +5,5 @@ kore-repl*
 *.json
 *.eventlog
 out
+.out
+.deps
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 86b3e9dcf..a298b33e6 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -516,6 +516,13 @@ module CONCRETIZE-INSTRUMENTATION
   syntax KItem ::= lazyConcretizeValues(Map)
   rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
 
+  syntax KItem ::= makeConcreteValue(key:KItem, valueType:ReflectionType, Map)
+  rule makeConcreteValue(Key:KItem, ValueType:ReflectionType, M:Map)
+    =>    splitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
+      ~>  cast(M[Key], ValueType)
+      ~>  removeValue
+      ~> concretizeValue(M[Key])
+    requires Key in_keys(M)
 endmodule
 
 module PROOF-INSTRUMENTATION
diff --git a/multisig/protocol-correctness/proof/functions/functions-execute.k b/multisig/protocol-correctness/proof/functions/functions-execute.k
index f72c2f95e..3970e0a9e 100644
--- a/multisig/protocol-correctness/proof/functions/functions-execute.k
+++ b/multisig/protocol-correctness/proof/functions/functions-execute.k
@@ -4,6 +4,39 @@ module FUNCTIONS-EXECUTE-SYNTAX
   imports EXECUTION-PROOF-SYNTAX
 endmodule
 
+module PROPOSE-ACTION-INSTRUMENTATION
+  imports PROOF-INSTRUMENTATION
+  imports PSEUDOCODE
+
+  syntax KItem ::= "split-propose-action"
+  syntax KItem ::= "split-propose-action1"
+
+  rule preCall ~> (.K => split-propose-action) ~> call(proposeAction(_Action:Action))
+  [priority(20)]
+
+  rule  <k> split-propose-action
+            =>  branchK(
+                  Caller in_keys(AddressToUserId),
+                  makeConcreteValue(Caller, rUsize, AddressToUserId)
+                    ~>  split-propose-action1,
+                  .K
+                )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>Caller:KItem</caller-address>
+
+  rule  <k> split-propose-action1
+            =>  branchK(
+                  AddressToUserId[Caller] in_keys(UserIdToRole),
+                  makeConcreteValue(AddressToUserId[Caller], rUserRole, UserIdToRole),
+                  .K
+                )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>Caller:KItem</caller-address>
+endmodule
+
 module FUNCTIONS-INSTRUMENTATION
   imports PROOF-INSTRUMENTATION
 
@@ -13,8 +46,29 @@ module FUNCTIONS-INSTRUMENTATION
   [priority(20)]
 endmodule
 
+module FUNCTIONS-HELPERS
+  imports PSEUDOCODE
+
+  // TODO: Move to pseudocode.k
+  syntax Int ::= metadataToInt(CodeMetadata)  [function, functional]
+  rule metadataToInt(meta(Value:Int)) => Value
+
+  syntax CodeMetadata ::= codeMetadataFunction(upgradeable:Bool, payable:Bool, readable:Bool)
+      [function, functional]
+  rule codeMetadataFunction(Upgradeable:Bool, Payable:Bool, Readable:Bool)
+      => meta(
+               metadataToInt(CodeMetadata::DEFAULT)
+          |Int #if Upgradeable #then metadataToInt(CodeMetadata::UPGRADEABLE) #else 0 #fi
+          |Int #if Payable #then metadataToInt(CodeMetadata::PAYABLE) #else 0 #fi
+          |Int #if Readable #then metadataToInt(CodeMetadata::READABLE) #else 0 #fi
+        )
+endmodule
+
 module FUNCTIONS-EXECUTE
   imports EXECUTION-PROOF
 
   imports FUNCTIONS-INSTRUMENTATION
+  imports PROPOSE-ACTION-INSTRUMENTATION
+
+  imports FUNCTIONS-HELPERS
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/functions.mak b/multisig/protocol-correctness/proof/functions/functions.mak
index 37a6b6cdf..ef1f7ca77 100644
--- a/multisig/protocol-correctness/proof/functions/functions.mak
+++ b/multisig/protocol-correctness/proof/functions/functions.mak
@@ -1,17 +1,31 @@
-FUNCTIONS_OUT_PREFIX=out/functions.
+FUNCTIONS_OUT_PREFIX=.out/functions.
+
+FUNCTIONS_TRUSTED_DIR=$(FUNCTIONS_DIR)
+
+FUNCTIONS_DEPS_DIR=$(FUNCTIONS_DIR)/.deps
 
 include ${FUNCTIONS_DIR}/functions-dependency.mak
 
 FUNCTIONS_PROOF_TIMESTAMPS := $(addprefix $(FUNCTIONS_OUT_PREFIX),$(notdir ${FUNCTIONS_PROOFS:.k=.timestamp}))
 FUNCTIONS_PROOF_DEBUGGERS := $(addprefix $(FUNCTIONS_OUT_PREFIX),$(notdir ${FUNCTIONS_PROOFS:.k=.debugger}))
 
+FUNCTIONS_DEPFILES := $(addprefix $(FUNCTIONS_DEPS_DIR)/,$(notdir ${FUNCTIONS_PROOFS:.k=.deps}))
+FUNCTIONS_TRUSTED_FILES := $(addprefix $(FUNCTIONS_TRUSTED_DIR)/,$(patsubst proof-%.k,trusted-%.k,$(notdir ${FUNCTIONS_PROOFS})))
+
 .PHONY: functions.clean ${FUNCTIONS_PROOF_DEBUGGERS}
+.SECONDARY:
 
-$(FUNCTIONS_OUT_PREFIX)proof.timestamp: ${FUNCTIONS_PROOF_TIMESTAMPS}
+# TODO: This is broken, I should add individual dependencies for each proof on their trusted imports.
+$(FUNCTIONS_OUT_PREFIX)proof.timestamp: $(FUNCTIONS_OUT_PREFIX)trusted.timestamp ${FUNCTIONS_PROOF_TIMESTAMPS}
 	$(DIR_GUARD)
 	@touch $(FUNCTIONS_OUT_PREFIX)proof.timestamp
 
-$(FUNCTIONS_OUT_PREFIX)proof-%.timestamp: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+$(FUNCTIONS_OUT_PREFIX)trusted.timestamp: ${FUNCTIONS_TRUSTED_FILES}
+
+$(FUNCTIONS_OUT_PREFIX)proof-%.timestamp: \
+			${FUNCTIONS_DIR}/proof-%.k \
+			${FUNCTIONS_DEPS_DIR}/proof-%.deps \
+			$(FUNCTIONS_OUT_PREFIX)execution.timestamp
 	$(DIR_GUARD)
 	@echo "Proving $*..."
 	@cat /proc/uptime | sed 's/\s.*//' > $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp
@@ -21,6 +35,16 @@ $(FUNCTIONS_OUT_PREFIX)proof-%.timestamp: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS
 	@rm $(FUNCTIONS_OUT_PREFIX)proof-$*.duration.temp
 	@touch $(FUNCTIONS_OUT_PREFIX)proof-$*.timestamp
 
+${FUNCTIONS_DEPS_DIR}/proof-%.deps: ${FUNCTIONS_DIR}/proof-%.k
+	$(DIR_GUARD)
+	@echo "Generating dependencies for $*..."
+	@kdep $< | sed 's#^.* : \\$$#$(FUNCTIONS_OUT_PREFIX)proof-$*.timestamp : \\#' > $@
+	@kdep $< | sed 's#^.* : \\$$#$@ : \\#' >> $@
+
+$(FUNCTIONS_TRUSTED_DIR)/trusted-%.k: ${FUNCTIONS_DIR}/proof-%.k $(SCRIPT_DIR)/make-trusted.py
+	$(DIR_GUARD)
+	@$(SCRIPT_DIR)/make-trusted.py $< $@
+
 $(FUNCTIONS_OUT_PREFIX)proof-%.debugger: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS_OUT_PREFIX)execution.timestamp
 	$(DIR_GUARD)
 	@echo "Debugging $*..."
@@ -30,10 +54,15 @@ $(FUNCTIONS_OUT_PREFIX)execution.timestamp: $(FUNCTIONS_DIR)/functions-execute.k
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
 	@kompile $< --backend haskell --directory $(FUNCTIONS_DIR)
-	@touch $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+	@touch $(FUNCTIONS_OUT_PREFIX)kompile.timestamp
 
 functions.clean:
 	-rm -r $(FUNCTIONS_DIR)/*-kompiled
 	-rm -r .kprove-*
 	-rm kore-*.tar.gz
 	-rm $(FUNCTIONS_OUT_PREFIX)*
+	# TODO: Delete only function dependencies
+	-rm -r ${FUNCTIONS_DEPS_DIR}
+
+-include $(FUNCTIONS_DEPFILES)
+-include $(FUNCTIONS_TRUSTED_DEPFILES)
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
index b4d030e33..af236efde 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
@@ -1,51 +1,8 @@
-module TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
-          </k>
-          invariantStateFull(
-              u(NumUsers:Int),
-              UserIdToAddress:Map,
-              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              u(NumBoardMembers:Int),
-              u(NumProposers:Int),
-              UserId |-> BoardMember UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> evaluate(void) ~> K </k>
-          invariantStateFull(
-              u(NumUsers),
-              UserIdToAddress,
-              AddressToUserId,
-              u(NumBoardMembers -Int 1 +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
-              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
-              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
-              Quorum,
-              u(ActionLastIndex),
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool addressToUserIdInvariant(AddressToUserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -63,7 +20,11 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -82,11 +43,19 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
     requires true
       andBool addressToUserIdInvariant(AddressToUserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
index 9ff3ac636..ed9dd5271 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
@@ -1,57 +1,8 @@
-module TRUSTED-CHANGE-USER-ROLE-NEW
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
-          </k>
-          invariantStateFull(
-              u(NumUsers:Int),
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              u(NumBoardMembers:Int),
-              u(NumProposers:Int),
-              UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> evaluate(void) ~> K </k>
-          invariantStateFull(
-              u(NumUsers +Int 1),
-              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
-              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
-              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
-              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
-              #if NewRole ==K None #then UserIdToRole #else u(NumUsers +Int 1) |-> NewRole UserIdToRole #fi,
-              Quorum,
-              u(ActionLastIndex),
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool NumUsers >=Int 0
-      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
-      // something taking map values to keys.
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), usesExpanded)
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), usesExpanded)
-
-      andBool notBool UserAddress in_keys(AddressToUserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-CHANGE-USER-ROLE-NEW
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -69,7 +20,11 @@ module PROOF-CHANGE-USER-ROLE-NEW
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -88,7 +43,11 @@ module PROOF-CHANGE-USER-ROLE-NEW
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -101,4 +60,8 @@ module PROOF-CHANGE-USER-ROLE-NEW
 
       andBool notBool UserAddress in_keys(AddressToUserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
index 3c0fc68f3..2b7f31e0a 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
@@ -1,53 +1,8 @@
-module TRUSTED-CHANGE-USER-ROLE-NONE
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
-          </k>
-          invariantStateFull(
-              u(NumUsers:Int),
-              UserIdToAddress:Map,
-              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              u(NumBoardMembers:Int),
-              u(NumProposers:Int),
-              UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> evaluate(void) ~> K </k>
-          invariantStateFull(
-              u(NumUsers),
-              UserIdToAddress,
-              AddressToUserId,
-              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
-              u(NumProposers +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
-              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
-              Quorum,
-              u(ActionLastIndex),
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool addressToUserIdInvariant(AddressToUserId)
-
-      andBool notBool UserId in_keys(UserIdToRole)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-CHANGE-USER-ROLE-NONE
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -65,7 +20,11 @@ module PROOF-CHANGE-USER-ROLE-NONE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -84,7 +43,11 @@ module PROOF-CHANGE-USER-ROLE-NONE
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -93,4 +56,8 @@ module PROOF-CHANGE-USER-ROLE-NONE
 
       andBool notBool UserId in_keys(UserIdToRole)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
index ee39d125c..1afa89bf3 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
@@ -1,51 +1,8 @@
-module TRUSTED-CHANGE-USER-ROLE-PROPOSER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(changeUserRole(UserAddress:Address, NewRole:UserRole)) ~> K:K
-          </k>
-          invariantStateFull(
-              u(NumUsers:Int),
-              UserIdToAddress:Map,
-              (UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              u(NumBoardMembers:Int),
-              u(NumProposers:Int),
-              UserId |-> Proposer UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> evaluate(void) ~> K </k>
-          invariantStateFull(
-              u(NumUsers),
-              UserIdToAddress,
-              AddressToUserId,
-              u(NumBoardMembers +Int #if NewRole ==K BoardMember #then 1 #else 0 #fi),
-              u(NumProposers -Int 1 +Int #if NewRole ==K Proposer #then 1 #else 0 #fi),
-              #if NewRole ==K None #then UserIdToRole #else UserId |-> NewRole UserIdToRole #fi,
-              Quorum,
-              u(ActionLastIndex),
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool addressToUserIdInvariant(AddressToUserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -63,7 +20,11 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -82,11 +43,19 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
     requires true
       andBool addressToUserIdInvariant(AddressToUserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
index 41405d715..624a353ef 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
@@ -1,66 +1,8 @@
-module TRUSTED-PROPOSE-ACTION-BOARDMEMBER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(proposeAction(Action:Action)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> u(ActionLastIndex +Int 1) ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              u(ActionLastIndex +Int 1),
-              u(ActionLastIndex +Int 1) |-> Action ActionData,
-              (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool isKResult(Action)
-      andBool valueIsNotEmpty(Action, rAction)
-
-      andBool valuesAreKResult(AddressToUserId)
-      andBool valuesAreOfType(AddressToUserId, rUsize)
-      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
-
-      andBool valuesAreOfType(UserIdToRole, rUserRole)
-      andBool valuesAreKResult(UserIdToRole)
-
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
-
-      andBool CallerAddress in_keys(AddressToUserId)
-      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
-      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-PROPOSE-ACTION-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -78,7 +20,11 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -97,7 +43,11 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               u(ActionLastIndex +Int 1) |-> Action ActionData,
               (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -119,4 +69,8 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
       andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
       andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
index 3fe5588f1..4199923e0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
@@ -1,66 +1,8 @@
-module TRUSTED-PROPOSE-ACTION-PROPOSER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(proposeAction(Action:Action)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> u(ActionLastIndex +Int 1) ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              u(ActionLastIndex +Int 1),
-              u(ActionLastIndex +Int 1) |-> Action ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool isKResult(Action)
-      andBool valueIsNotEmpty(Action, rAction)
-
-      andBool valuesAreKResult(AddressToUserId)
-      andBool valuesAreOfType(AddressToUserId, rUsize)
-      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
-
-      andBool valuesAreOfType(UserIdToRole, rUserRole)
-      andBool valuesAreKResult(UserIdToRole)
-
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
-
-      andBool CallerAddress in_keys(AddressToUserId)
-      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
-      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K Proposer
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-PROPOSE-ACTION-PROPOSER
+//@ trusted
+// module TRUSTED-PROPOSE-ACTION-PROPOSER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -78,7 +20,11 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -97,7 +43,11 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               u(ActionLastIndex +Int 1) |-> Action ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -119,4 +69,8 @@ module PROOF-PROPOSE-ACTION-PROPOSER
       andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
       andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K Proposer
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
new file mode 100644
index 000000000..f7b7a789e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
@@ -0,0 +1,70 @@
+//@ proof
+module PROOF-PROPOSE-ACTION-ERROR-NO-ROLE
+//@ trusted
+// module TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(_Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
new file mode 100644
index 000000000..e4d43d05b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
@@ -0,0 +1,70 @@
+//@ proof
+module PROOF-PROPOSE-ACTION-ERROR-NO-USER
+//@ trusted
+// module TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(proposeAction(_Action:Action)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
deleted file mode 100644
index a04026330..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-error.k
+++ /dev/null
@@ -1,116 +0,0 @@
-module TRUSTED-PROPOSE-ACTION-ERROR
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(proposeAction(_Action:Action)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables:Map
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-
-      andBool valuesAreKResult(AddressToUserId)
-      andBool valuesAreOfType(AddressToUserId, rUsize)
-      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
-
-      andBool valuesAreOfType(UserIdToRole, rUserRole)
-      andBool valuesAreKResult(UserIdToRole)
-
-      andBool notBool
-        ( CallerAddress in_keys(AddressToUserId)
-        andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
-        )
-    ensures true
-  [trusted]
-endmodule
-
-module PROOF-PROPOSE-ACTION-ERROR
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(proposeAction(_Action:Action)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              .List,  // TODO: Stack:List
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              .List,  // TODO: Stack:List
-              ?_Variables:Map
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-
-      andBool valuesAreKResult(AddressToUserId)
-      andBool valuesAreOfType(AddressToUserId, rUsize)
-      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
-
-      andBool valuesAreOfType(UserIdToRole, rUserRole)
-      andBool valuesAreKResult(UserIdToRole)
-
-      andBool notBool
-        ( CallerAddress in_keys(AddressToUserId)
-        andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
-        )
-    ensures true
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
new file mode 100644
index 000000000..80712b1bf
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-propose-action-BoardMember.k"
+require "trusted-propose-sc-deploy-fragment.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-PROPOSE-SC-DEPLOY-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PROPOSE-SC-DEPLOY-BOARDMEMBER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  //@ proof
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-FRAGMENT
+  //@ trusted
+  //@ end
+
+  claim <T><TT>
+          <k> call(proposeSCDeploy(
+                    Amount:BigUint,
+                    Code:BoxedBytes,
+                    Upgradeable:Bool,
+                    Payable:Bool,
+                    Readable:Bool,
+                    Args:ExpressionList))
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(u(ActionLastIndex +Int 1)) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1)
+                      |-> SCDeploy(
+                            Amount,
+                            Code,
+                            codeMetadataFunction(Upgradeable, Payable, Readable),
+                            Args)
+                  ActionData,
+              (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Args)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
+
+
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
new file mode 100644
index 000000000..9c6401806
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
@@ -0,0 +1,96 @@
+//@ proof
+require "trusted-propose-action-Proposer.k"
+require "trusted-propose-sc-deploy-fragment.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-PROPOSE-SC-DEPLOY-PROPOSER
+//@ trusted
+// module TRUSTED-PROPOSE-SC-DEPLOY-PROPOSER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  //@ proof
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-FRAGMENT
+  //@ trusted
+  //@ end
+
+  claim <T><TT>
+          <k> call(proposeSCDeploy(
+                    Amount:BigUint,
+                    Code:BoxedBytes,
+                    Upgradeable:Bool,
+                    Payable:Bool,
+                    Readable:Bool,
+                    Args:ExpressionList))
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(u(ActionLastIndex +Int 1)) ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex +Int 1),
+              u(ActionLastIndex +Int 1)
+                      |-> SCDeploy(
+                            Amount,
+                            Code,
+                            codeMetadataFunction(Upgradeable, Payable, Readable),
+                            Args)
+                  ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Args)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), expand(expanded))
+      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), expand(expanded))
+
+      andBool CallerAddress in_keys(AddressToUserId)
+      andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+      andBool UserIdToRole[AddressToUserId[CallerAddress]] ==K Proposer
+    ensures true
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
new file mode 100644
index 000000000..e2c38cc32
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
@@ -0,0 +1,90 @@
+//@ proof
+require "trusted-propose-action-error-no-role.k"
+require "trusted-propose-sc-deploy-fragment.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
+//@ trusted
+// module TRUSTED-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  //@ proof
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-SC-DEPLOY-FRAGMENT
+  //@ trusted
+  //@ end
+
+  claim <T><TT>
+          <k> call(proposeSCDeploy(
+                    _Amount:BigUint,
+                    _Code:BoxedBytes,
+                    _Upgradeable:Bool,
+                    _Payable:Bool,
+                    _Readable:Bool,
+                    Args:ExpressionList))
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Args)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
new file mode 100644
index 000000000..a537d5d14
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
@@ -0,0 +1,90 @@
+//@ proof
+require "trusted-propose-action-error-no-user.k"
+require "trusted-propose-sc-deploy-fragment.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-USER
+//@ trusted
+// module TRUSTED-PROPOSE-SC-DEPLOY-ERROR-NO-USER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  //@ proof
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-FRAGMENT
+  //@ trusted
+  //@ end
+
+  claim <T><TT>
+          <k> call(proposeSCDeploy(
+                    _Amount:BigUint,
+                    _Code:BoxedBytes,
+                    _Upgradeable:Bool,
+                    _Payable:Bool,
+                    _Readable:Bool,
+                    Args:ExpressionList))
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables:Map
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Args)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool valuesAreKResult(AddressToUserId)
+      andBool valuesAreOfType(AddressToUserId, rUsize)
+      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
+
+      andBool valuesAreOfType(UserIdToRole, rUserRole)
+      andBool valuesAreKResult(UserIdToRole)
+
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
new file mode 100644
index 000000000..a0309eaea
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
@@ -0,0 +1,77 @@
+//@ proof
+module PROOF-PROPOSE-SC-DEPLOY-FRAGMENT
+//@ trusted
+// module TRUSTED-PROPOSE-SC-DEPLOY-FRAGMENT
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  code_metadata = CodeMetadata::DEFAULT;
+                  if (Upgradeable) {
+                    code_metadata = code_metadata | CodeMetadata::UPGRADEABLE;
+                  }
+                  if (Payable) {
+                    code_metadata = code_metadata | CodeMetadata::PAYABLE;
+                  }
+                  if (Readable) {
+                    code_metadata = code_metadata | CodeMetadata::READABLE;
+                  }
+                  proposeActionSCDeploy(Amount, Code, code_metadata, Args);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runPseudoCode(
+                  proposeActionSCDeploy(Amount, Code, code_metadata, Args);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              code_metadata |-> codeMetadataFunction(Upgradeable, Payable, Readable)
+              )
+        </TT></T>
+    requires true
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
index 622f12d4f..913a41322 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
@@ -1,55 +1,8 @@
-module TRUSTED-SIGN-CALLER-NONE
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-
-      andBool ActionId in_keys(ActionData)
-      andBool notBool UserId in_keys(UserIdToRole)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-CALLER-NONE
+//@ trusted
+// module TRUSTED-SIGN-CALLER-NONE
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -67,7 +20,11 @@ module PROOF-SIGN-CALLER-NONE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -86,7 +43,11 @@ module PROOF-SIGN-CALLER-NONE
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -97,4 +58,8 @@ module PROOF-SIGN-CALLER-NONE
       andBool ActionId in_keys(ActionData)
       andBool notBool UserId in_keys(UserIdToRole)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
index 6909ed36a..f6bad293d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
@@ -1,55 +1,8 @@
-module TRUSTED-SIGN-CALLER-NOT-USER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-
-      andBool ActionId in_keys(ActionData)
-      andBool notBool CallerAddress in_keys(AddressToUserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-CALLER-NOT-USER
+//@ trusted
+// module TRUSTED-SIGN-CALLER-NOT-USER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -67,7 +20,11 @@ module PROOF-SIGN-CALLER-NOT-USER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -86,7 +43,11 @@ module PROOF-SIGN-CALLER-NOT-USER
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -97,4 +58,8 @@ module PROOF-SIGN-CALLER-NOT-USER
       andBool ActionId in_keys(ActionData)
       andBool notBool CallerAddress in_keys(AddressToUserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
index 1c8ddaf85..599d46bb4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
@@ -1,56 +1,8 @@
-module TRUSTED-SIGN-CALLER-PROPOSER
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              (UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-      andBool userIdToRoleInvariant(UserIdToRole)
-   
-      andBool ActionId in_keys(ActionData)
-      // andBool notBool ActionId in_keys(ActionSigners)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-CALLER-PROPOSER
+//@ trusted
+// module TRUSTED-SIGN-CALLER-PROPOSER
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -68,7 +20,11 @@ module PROOF-SIGN-CALLER-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -87,7 +43,11 @@ module PROOF-SIGN-CALLER-PROPOSER
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -99,4 +59,8 @@ module PROOF-SIGN-CALLER-PROPOSER
       andBool ActionId in_keys(ActionData)
       // andBool notBool ActionId in_keys(ActionSigners)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
index 194e09df5..45e6204a4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
@@ -1,51 +1,8 @@
-module TRUSTED-SIGN-EMPTY-ACTION
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool ActionId in_keys(ActionData)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-EMPTY-ACTION
+//@ trusted
+// module TRUSTED-SIGN-EMPTY-ACTION
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -63,7 +20,11 @@ module PROOF-SIGN-EMPTY-ACTION
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -82,11 +43,19 @@ module PROOF-SIGN-EMPTY-ACTION
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
     requires true
       andBool notBool ActionId in_keys(ActionData)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
index 97ece0bf3..37f472042 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
@@ -1,57 +1,8 @@
-module TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              ((ActionId |-> Signers:ExpressionList) _ActionSigners:Map) #as ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> void ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-      andBool userIdToRoleInvariant(UserIdToRole)
-
-      andBool ActionId in_keys(ActionData)
-      andBool isKResult(Signers)
-      andBool #listContains(Signers, UserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
+//@ trusted
+// module TRUSTED-SIGN-EXISTING-SIGNERS-IN-LIST
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -69,7 +20,11 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               ActionData:Map,
               ((ActionId |-> Signers:ExpressionList) _ActionSigners:Map) #as ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -88,7 +43,11 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               ActionData,
               ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -101,4 +60,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
       andBool isKResult(Signers)
       andBool #listContains(Signers, UserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
index 738f86f39..4b08680d8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
@@ -1,57 +1,8 @@
-module TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
-              Quorum:Usize,
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              (ActionId |-> [Signers:ExpressionCSV]) ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> void ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              ActionLastIndex,
-              ActionData,
-              (ActionId |-> [#pushList(Signers, UserId)]) ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-      andBool userIdToRoleInvariant(UserIdToRole)
-   
-      andBool ActionId in_keys(ActionData)
-      andBool isKResult(Signers)
-      andBool notBool #listContains([Signers], UserId)
-    ensures true
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+//@ trusted
+// module TRUSTED-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -69,7 +20,11 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               ActionData:Map,
               (ActionId |-> [Signers:ExpressionCSV]) ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -88,7 +43,11 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               ActionData,
               (ActionId |-> [#pushList(Signers, UserId)]) ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -101,4 +60,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
       andBool isKResult(Signers)
       andBool notBool #listContains([Signers], UserId)
     ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
index 04f640458..01f677f8e 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
@@ -1,57 +1,8 @@
-module TRUSTED-SIGN-NO-SIGNERS
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> call(sign(ActionId:Usize)) ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
-              Quorum:Usize,
-              u(ActionLastIndex:Int),
-              ActionData:Map,
-              ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:List,
-              .Map
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> void ~> K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              Quorum,
-              u(ActionLastIndex),
-              ActionData,
-              ActionId |-> [UserId, .] ActionSigners,
-              CallerAddress,
-              Stack:List,
-              ?_Variables
-              ):StateCell
-        </TT></T>
-    requires true
-      andBool notBool u(0) in_keys(UserIdToRole)
-      andBool actionDataInvariant(ActionData)
-      andBool userIdToRoleInvariant(UserIdToRole)
-
-      andBool ActionId in_keys(ActionData)
-      andBool notBool ActionId in_keys(ActionSigners)
-    ensures true
-      andBool usizeToInt(ActionId) <Int ActionLastIndex +Int 1
-    [trusted]
-endmodule
-
+//@ proof
 module PROOF-SIGN-NO-SIGNERS
+//@ trusted
+// module TRUSTED-SIGN-NO-SIGNERS
+//@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
@@ -69,7 +20,11 @@ module PROOF-SIGN-NO-SIGNERS
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               .Map
               )
         </TT></T>
@@ -88,7 +43,11 @@ module PROOF-SIGN-NO-SIGNERS
               ActionData,
               ActionId |-> [UserId, .] ActionSigners,
               CallerAddress,
+              //@ proof
               .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
               ?_Variables
               ):StateCell
         </TT></T>
@@ -102,4 +61,8 @@ module PROOF-SIGN-NO-SIGNERS
       andBool notBool ActionId in_keys(ActionSigners)
     ensures true
       andBool usizeToInt(ActionId) <Int ActionLastIndex +Int 1
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 16d8407c9..acf647fe2 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -40,18 +40,9 @@ module INVARIANT-INSTRUMENTATION
   rule (M:Map ~> lazyConcretizeKeysFreezer) => (lazyConcretizeKeys(M) ~> M)
     [priority(20)]
 
-  // TODO: Move in execution-proof.k
-  syntax KItem ::= makeConcreteValue(key:KItem, valueType:ReflectionType, Map)
-  rule makeConcreteValue(Key:KItem, ValueType:ReflectionType, M:Map)
-    => lazySplitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
-      ~>  cast(M[Key], ValueType)
-      ~>  removeValue
-      ~> concretizeValue(M[Key])
-    requires Key in_keys(M)
-
-  syntax KItem ::= lazySplitMap(k:KItem, m:Map, value:KItem, remainder:Map)
-  rule lazySplitMap(K:KItem, M:Map, Value:KItem, Remainder:Map)
-      => splitMap(K, M, Value, Remainder)
+  // syntax KItem ::= lazySplitMap(k:KItem, m:Map, value:KItem, remainder:Map)
+  // rule lazySplitMap(K:KItem, M:Map, Value:KItem, Remainder:Map)
+  //     => splitMap(K, M, Value, Remainder)
 endmodule
 
 module PERFORM-SPLIT-ACTION-INSTRUMENTATION
@@ -143,7 +134,6 @@ module PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
   imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports INVARIANT-INSTRUMENTATION
 
-  syntax KItem ::= "concretize-sc-deploy"
   rule  <k> (splitting-action => concretizeValue(Arguments))
             ~> call(performAction(SCDeploy(
                         _Amount:BigUint,
@@ -155,94 +145,73 @@ module PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
 
 endmodule
 
-module PERFORM-ACTION-ADD-PROPOSER-INSTRUMENTATION
-  imports INVARIANT-INSTRUMENTATION
-  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
-  imports PSEUDOCODE
-
-  syntax KItem ::= splittingActionProposer1(Address)
-  syntax KItem ::= splittingActionProposer2(Address)
-
-  rule  <k> (
-              splitting-action
-              =>  branchK(
-                    A1 in_keys(AddressToUserId),
-                    splittingActionProposer1(A1),
-                    .K
-                  )
-            )
-            ~> call(performAction(AddProposer(A1:Address)))
-        ...</k>
-        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-    [priority(10)]
-
-  rule  <k> splittingActionProposer1(A1:Address)
-            =>   makeConcreteValue(A1, rUsize, AddressToUserId)
-              ~> splittingActionProposer2(A1)
-        ...</k>
-        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-    requires A1 in_keys(AddressToUserId)
-      // TODO: Do I need AddressToUserId[A1] in_keys(UserIdToRole)?
-
-  // TODO: Merge this rule with the previous one.
-  rule  <k> splittingActionProposer2(A1:Address)
-            =>   makeConcreteValue(AddressToUserId[A1], rUserRole, UserIdToRole)
-        ...</k>
-        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-        <user-roles> UserIdToRole:Map </user-roles>
-    requires true
-      andBool A1 in_keys(AddressToUserId)
-      andBool AddressToUserId[A1] in_keys(UserIdToRole)
-
-endmodule
-
-module PROPOSE-ACTION-INSTRUMENTATION
-  imports INVARIANT-INSTRUMENTATION
+module PROPOSE-SC-DEPLOY-INSTRUMENTATION
+  imports PROOF-INSTRUMENTATION
   imports PSEUDOCODE
 
-  syntax KItem ::= "split-propose-action"
-  syntax KItem ::= "split-propose-action1"
-  syntax KItem ::= "split-propose-action2"
+  syntax KItem ::= "split-sc-deploy"
+  syntax KItem ::= "split-sc-deploy1"
 
-  rule preCall ~> (.K => split-propose-action) ~> call(proposeAction(_Action:Action))
+  rule  preCall
+        ~> (.K => split-sc-deploy)
+        ~> call(proposeSCDeploy(_:BigUint, _:BoxedBytes, _:Bool, _:Bool, _:Bool, _:ExpressionList))
   [priority(20)]
 
-  rule  <k> split-propose-action
+  rule  <k> split-sc-deploy
             =>  branchK(
                   Caller in_keys(AddressToUserId),
-                  lazySplitMap(
-                      Caller, AddressToUserId,
-                      ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
-                    ~>  split-propose-action1,
+                  makeConcreteValue(Caller, rUsize, AddressToUserId)
+                    ~>  split-sc-deploy1,
                   .K
                 )
         ... </k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
         <caller-address>Caller:KItem</caller-address>
 
-  rule  <k> split-propose-action1
+  rule  <k> split-sc-deploy1
             =>  branchK(
                   AddressToUserId[Caller] in_keys(UserIdToRole),
-                  lazySplitMap(
-                      AddressToUserId[Caller], UserIdToRole,
-                      ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
-                    ~> split-propose-action2,
+                  makeConcreteValue(AddressToUserId[Caller], rUserRole, UserIdToRole),
                   .K
                 )
         ... </k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
         <user-roles> UserIdToRole:Map </user-roles>
         <caller-address>Caller:KItem</caller-address>
+endmodule
 
-  rule  <k> split-propose-action2
-            =>   cast(UserIdToRole[AddressToUserId[Caller]], rUserRole)
-              ~> removeValue
-              ~> concretizeValue(UserIdToRole[AddressToUserId[Caller]])
-        ... </k>
+module PERFORM-ACTION-ADD-PROPOSER-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PSEUDOCODE
+
+  syntax KItem ::= splittingActionProposer(Address)
 
+  rule  <k> (
+              splitting-action
+              =>  branchK(
+                    A1 in_keys(AddressToUserId),
+                    splittingActionProposer(A1),
+                    .K
+                  )
+            )
+            ~> call(performAction(AddProposer(A1:Address)))
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    [priority(10)]
+
+  rule  <k> splittingActionProposer(A1:Address)
+            =>    makeConcreteValue(A1, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[A1] in_keys(UserIdToRole),
+                    makeConcreteValue(AddressToUserId[A1], rUserRole, UserIdToRole),
+                    .K
+                  )
+        ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
         <user-roles> UserIdToRole:Map </user-roles>
-        <caller-address>Caller:KItem</caller-address>
+    requires A1 in_keys(AddressToUserId)
+      // TODO: Do I need AddressToUserId[A1] in_keys(UserIdToRole)?
 endmodule
 
 module CHANGE-USER-ROLE-INSTRUMENTATION
@@ -268,32 +237,16 @@ module CHANGE-USER-ROLE-INSTRUMENTATION
         <address-to-user-id> AddressToUserId:Map </address-to-user-id>
 
   rule  <k> splitChangeUserRole2(Address:Address)
-            =>    lazySplitMap(
-                        Address, AddressToUserId,
-                        ?_UserId:KItem, ?_AddressToUserIdRemainder:Map)
-              ~>  cast(AddressToUserId[Address], rUsize)
-              ~>  removeValue
-              ~>  concretizeValue(AddressToUserId[Address])
+            =>    makeConcreteValue(Address, rUsize, AddressToUserId)
               ~>  branchK(
                     AddressToUserId[Address] in_keys(UserIdToRole),
-                    splitChangeUserRole3({AddressToUserId[Address]}:>Usize),
+                    makeConcreteValue(AddressToUserId[Address], rUserRole, UserIdToRole),
                     .K
                   )
         ... </k>
         <address-to-user-id> AddressToUserId:Map </address-to-user-id>
         <user-roles>UserIdToRole:Map</user-roles>
     requires Address in_keys(AddressToUserId)
-
-  rule  <k> splitChangeUserRole3(UserId:Usize)
-            =>    lazySplitMap(
-                        UserId, UserIdToRole,
-                        ?_UserRole:KItem, ?_UserIdToRoleRemainder:Map)
-              ~>  cast(UserIdToRole[UserId], rUserRole)
-              ~>  removeValue
-              ~>  concretizeValue(UserIdToRole[UserId])
-        ... </k>
-        <user-roles>UserIdToRole:Map</user-roles>
-    requires UserId in_keys(UserIdToRole)
 endmodule
 
 module SIGN-INSTRUMENTATION
@@ -369,6 +322,7 @@ module INVARIANT-EXECUTION
   imports PERFORM-ACTION-SC-DEPLOY-INSTRUMENTATION
   imports PERFORM-ACTION-REMOVE-USER-INSTRUMENTATION
   imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PROPOSE-SC-DEPLOY-INSTRUMENTATION
 
   imports COUNT-CAN-SIGN-PARTS
   imports INIT-LOOP-PARTS
diff --git a/multisig/protocol-correctness/proof/invariant/invariant.mak b/multisig/protocol-correctness/proof/invariant/invariant.mak
index 888f0c98b..b3506a114 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant.mak
+++ b/multisig/protocol-correctness/proof/invariant/invariant.mak
@@ -1,4 +1,4 @@
-INVARIANT_OUT_PREFIX=out/invariant.
+INVARIANT_OUT_PREFIX=.out/invariant.
 
 INVARIANT_ALL := $(wildcard $(INVARIANT_DIR)/*.k)
 INVARIANT_PROOFS := $(wildcard $(INVARIANT_DIR)/proof-*.k)
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
index cffdbc5a5..5a6f67f9e 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
@@ -35,51 +35,137 @@ module TRUSTED-PERFORM-ACTION
           ~> clearExternalCallEnv
           ~> runExternalCalls ( EC )
         </k>
-        invariantStateStack(
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserRoles:Map,
-            Quorum:Usize,
-            ActionLastIndex0:Usize,
-            ActionData0:Map,
-            ActionSigners0:Map,
-            CallerAddress:Address,
-            ListItem(stackEntry(_:MultisigStateCell, _:Map))
-              ListItem(stackEntry(_:MultisigStateCell, _:Map))
+        <state>
+          <multisig-state>
+            <users>
+              <num-users>NumUsers:Usize</num-users>
+              <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+              <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+            </users>
+            <board-state>
+              <num-board-members>NumBoardMembers:Usize</num-board-members>
+              <num-proposers>NumProposers:Usize</num-proposers>
+              <user-roles>UserRoles:Map</user-roles>
+              <quorum>Quorum:Usize</quorum>
+            </board-state>
+            <action-state>
+              <action-last-index>ActionLastIndex0:Usize</action-last-index>
+              <actions>
+                <action-data>ActionData0:Map</action-data>
+                <action-signers>ActionSigners0:Map</action-signers>
+              </actions>
+            </action-state>
+          </multisig-state>
+          <pseudocode-state>
+            <variables>.Map</variables>
+            <stack>
               ListItem(stackEntry(
-                invariantMultisigState(
-                    NumUsersS:Usize,
-                    UserIdToAddressS:Map,
-                    AddressToUserIdS:Map,
-                    NumBoardMembersS:Usize,
-                    NumProposersS:Usize,
-                    UserRolesS:Map,
-                    QuorumS:Usize,
-                    ActionLastIndexS:Usize,
-                    ActionDataS:Map,
-                    ActionSignersS:Map):MultisigStateCell,
-                .Map)))
+                <multisig-state>
+                  <users>
+                    <num-users>_:Usize</num-users>
+                    <user-id-to-address>_:Map</user-id-to-address>
+                    <address-to-user-id>_:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>_:Usize</num-board-members>
+                    <num-proposers>_:Usize</num-proposers>
+                    <user-roles>_:Map</user-roles>
+                    <quorum>_:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>_:Usize</action-last-index>
+                    <actions>
+                      <action-data>_:Map</action-data>
+                      <action-signers>_:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                _:Map))
+              ListItem(stackEntry(
+                <multisig-state>
+                  <users>
+                    <num-users>_:Usize</num-users>
+                    <user-id-to-address>_:Map</user-id-to-address>
+                    <address-to-user-id>_:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>_:Usize</num-board-members>
+                    <num-proposers>_:Usize</num-proposers>
+                    <user-roles>_:Map</user-roles>
+                    <quorum>_:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>_:Usize</action-last-index>
+                    <actions>
+                      <action-data>_:Map</action-data>
+                      <action-signers>_:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                _:Map))
+              ListItem(stackEntry(
+                <multisig-state>
+                  <users>
+                    <num-users>NumUsersS:Usize</num-users>
+                    <user-id-to-address>UserIdToAddressS:Map</user-id-to-address>
+                    <address-to-user-id>AddressToUserIdS:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>NumBoardMembersS:Usize</num-board-members>
+                    <num-proposers>NumProposersS:Usize</num-proposers>
+                    <user-roles>UserRolesS:Map</user-roles>
+                    <quorum>QuorumS:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>ActionLastIndexS:Usize</action-last-index>
+                    <actions>
+                      <action-data>ActionDataS:Map</action-data>
+                      <action-signers>ActionSignersS:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                .Map))
+            </stack>
+          </pseudocode-state>
+          <external-call-env>
+            <caller-address>CallerAddress:Address</caller-address>
+          </external-call-env>
+        </state>
       </TT></T>
     =>
       <T><TT>
         <k> clearExternalCallEnv
-            ~> runExternalCalls(EC) </k>
-        invariantStateStack(
-            u(?NumUsers1:Int),
-            ?UserIdToAddress1:Map,
-            ?AddressToUserId1:Map,
-            u(?NumBoardMembers1:Int),
-            u(?NumProposers1:Int),
-            ?UserRoles1:Map,
-            u(?Quorum1:Int),
-            u(?ActionLastIndex1:Int),
-            ?ActionData1:Map,
-            ?ActionSigners1:Map,
-            CallerAddress:Address,
-            .List):StateCell
+            ~> runExternalCalls(EC)
+        </k>
+        <state>
+          <multisig-state>
+            <users>
+              <num-users>u(?NumUsers1:Int)</num-users>
+              <user-id-to-address>?UserIdToAddress1:Map</user-id-to-address>
+              <address-to-user-id>?AddressToUserId1:Map</address-to-user-id>
+            </users>
+            <board-state>
+              <num-board-members>u(?NumBoardMembers1:Int)</num-board-members>
+              <num-proposers>u(?NumProposers1:Int)</num-proposers>
+              <user-roles>?UserRoles1:Map</user-roles>
+              <quorum>u(?Quorum1:Int)</quorum>
+            </board-state>
+            <action-state>
+              <action-last-index>u(?ActionLastIndex1:Int)</action-last-index>
+              <actions>
+                <action-data>?ActionData1:Map</action-data>
+                <action-signers>?ActionSigners1:Map</action-signers>
+              </actions>
+            </action-state>
+          </multisig-state>
+          <pseudocode-state>
+            <variables>.Map</variables>
+            <stack>.List</stack>
+          </pseudocode-state>
+          <external-call-env>
+            <caller-address>CallerAddress:Address</caller-address>
+          </external-call-env>
+        </state>
       </TT></T>
     requires true
       andBool invariant(
@@ -160,51 +246,137 @@ module PROOF-PERFORM-ACTION
           ~> clearExternalCallEnv
           ~> runExternalCalls ( EC )
         </k>
-        invariantStateStack(
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserRoles:Map,
-            Quorum:Usize,
-            ActionLastIndex0:Usize,
-            ActionData0:Map,
-            ActionSigners0:Map,
-            CallerAddress:Address,
-            ListItem(stackEntry(_:MultisigStateCell, _:Map))
-              ListItem(stackEntry(_:MultisigStateCell, _:Map))
+        <state>
+          <multisig-state>
+            <users>
+              <num-users>NumUsers:Usize</num-users>
+              <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+              <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+            </users>
+            <board-state>
+              <num-board-members>NumBoardMembers:Usize</num-board-members>
+              <num-proposers>NumProposers:Usize</num-proposers>
+              <user-roles>UserRoles:Map</user-roles>
+              <quorum>Quorum:Usize</quorum>
+            </board-state>
+            <action-state>
+              <action-last-index>ActionLastIndex0:Usize</action-last-index>
+              <actions>
+                <action-data>ActionData0:Map</action-data>
+                <action-signers>ActionSigners0:Map</action-signers>
+              </actions>
+            </action-state>
+          </multisig-state>
+          <pseudocode-state>
+            <variables>.Map</variables>
+            <stack>
               ListItem(stackEntry(
-                invariantMultisigState(
-                    NumUsersS:Usize,
-                    UserIdToAddressS:Map,
-                    AddressToUserIdS:Map,
-                    NumBoardMembersS:Usize,
-                    NumProposersS:Usize,
-                    UserRolesS:Map,
-                    QuorumS:Usize,
-                    ActionLastIndexS:Usize,
-                    ActionDataS:Map,
-                    ActionSignersS:Map):MultisigStateCell,
-                .Map)))
+                <multisig-state>
+                  <users>
+                    <num-users>_:Usize</num-users>
+                    <user-id-to-address>_:Map</user-id-to-address>
+                    <address-to-user-id>_:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>_:Usize</num-board-members>
+                    <num-proposers>_:Usize</num-proposers>
+                    <user-roles>_:Map</user-roles>
+                    <quorum>_:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>_:Usize</action-last-index>
+                    <actions>
+                      <action-data>_:Map</action-data>
+                      <action-signers>_:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                _:Map))
+              ListItem(stackEntry(
+                <multisig-state>
+                  <users>
+                    <num-users>_:Usize</num-users>
+                    <user-id-to-address>_:Map</user-id-to-address>
+                    <address-to-user-id>_:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>_:Usize</num-board-members>
+                    <num-proposers>_:Usize</num-proposers>
+                    <user-roles>_:Map</user-roles>
+                    <quorum>_:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>_:Usize</action-last-index>
+                    <actions>
+                      <action-data>_:Map</action-data>
+                      <action-signers>_:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                _:Map))
+              ListItem(stackEntry(
+                <multisig-state>
+                  <users>
+                    <num-users>NumUsersS:Usize</num-users>
+                    <user-id-to-address>UserIdToAddressS:Map</user-id-to-address>
+                    <address-to-user-id>AddressToUserIdS:Map</address-to-user-id>
+                  </users>
+                  <board-state>
+                    <num-board-members>NumBoardMembersS:Usize</num-board-members>
+                    <num-proposers>NumProposersS:Usize</num-proposers>
+                    <user-roles>UserRolesS:Map</user-roles>
+                    <quorum>QuorumS:Usize</quorum>
+                  </board-state>
+                  <action-state>
+                    <action-last-index>ActionLastIndexS:Usize</action-last-index>
+                    <actions>
+                      <action-data>ActionDataS:Map</action-data>
+                      <action-signers>ActionSignersS:Map</action-signers>
+                    </actions>
+                  </action-state>
+                </multisig-state>,
+                .Map))
+            </stack>
+          </pseudocode-state>
+          <external-call-env>
+            <caller-address>CallerAddress:Address</caller-address>
+          </external-call-env>
+        </state>
       </TT></T>
     =>
       <T><TT>
         <k> clearExternalCallEnv
-            ~> runExternalCalls(EC) </k>
-        invariantStateStack(
-            u(?NumUsers1:Int),
-            ?UserIdToAddress1:Map,
-            ?AddressToUserId1:Map,
-            u(?NumBoardMembers1:Int),
-            u(?NumProposers1:Int),
-            ?UserRoles1:Map,
-            u(?Quorum1:Int),
-            u(?ActionLastIndex1:Int),
-            ?ActionData1:Map,
-            ?ActionSigners1:Map,
-            CallerAddress:Address,
-            .List):StateCell
+            ~> runExternalCalls(EC)
+        </k>
+        <state>
+          <multisig-state>
+            <users>
+              <num-users>u(?NumUsers1:Int)</num-users>
+              <user-id-to-address>?UserIdToAddress1:Map</user-id-to-address>
+              <address-to-user-id>?AddressToUserId1:Map</address-to-user-id>
+            </users>
+            <board-state>
+              <num-board-members>u(?NumBoardMembers1:Int)</num-board-members>
+              <num-proposers>u(?NumProposers1:Int)</num-proposers>
+              <user-roles>?UserRoles1:Map</user-roles>
+              <quorum>u(?Quorum1:Int)</quorum>
+            </board-state>
+            <action-state>
+              <action-last-index>u(?ActionLastIndex1:Int)</action-last-index>
+              <actions>
+                <action-data>?ActionData1:Map</action-data>
+                <action-signers>?ActionSigners1:Map</action-signers>
+              </actions>
+            </action-state>
+          </multisig-state>
+          <pseudocode-state>
+            <variables>.Map</variables>
+            <stack>.List</stack>
+          </pseudocode-state>
+          <external-call-env>
+            <caller-address>CallerAddress:Address</caller-address>
+          </external-call-env>
+        </state>
       </TT></T>
     requires true
       andBool invariant(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
index 1a5f18329..71dfa0d75 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-None.k"
 
 module TRUSTED-PERFORM-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
index d9ebf601d..dfd04ff37 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-ADD-PROPOSER-3
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
index f13a67d84..e89fc27bf 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-ADD-PROPOSER-5
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
index 33c0d46b6..dc3a529a7 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-ADD-PROPOSER-7
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
index e86ec6d82..50fed9864 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-ADD-PROPOSER-8
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
index afec2fd1d..ab3e7d59d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-ADD-PROPOSER-9
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
index bf63ddcdc..76ace8c93 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-REMOVE-USER-1
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
index ffd3539b5..c2519c048 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-REMOVE-USER-10
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
index be8b0bdc4..91010586e 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-REMOVE-USER-5
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
index 425c04119..77977ad12 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -1,9 +1,9 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-change-user-role-New.k"
-require "../functions/proof-change-user-role-None.k"
-require "../functions/proof-change-user-role-BoardMember.k"
-require "../functions/proof-change-user-role-Proposer.k"
+require "../functions/trusted-change-user-role-New.k"
+require "../functions/trusted-change-user-role-None.k"
+require "../functions/trusted-change-user-role-BoardMember.k"
+require "../functions/trusted-change-user-role-Proposer.k"
 
 module TRUSTED-PERFORM-REMOVE-USER-9
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
index c5efc6395..cf4cccd08 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
index 10aa581e4..491acd437 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-ADD-PROPOSER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
index 495a9718c..0575e1025 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-CHANGE-QUORUM
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
index f31d7434c..5d91f9f64 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-REMOVE-USER
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
index 3009b51da..1589b3f27 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-SC-CALL
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
index 6362050f3..4182e05a5 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
@@ -1,16 +1,18 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-sc-deploy-BoardMember.k"
+require "../functions/trusted-propose-sc-deploy-Proposer.k"
+require "../functions/trusted-propose-sc-deploy-error-no-user.k"
+require "../functions/trusted-propose-sc-deploy-error-no-role.k"
 
 module PROOF-PROPOSE-SC-DEPLOY
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
-  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
-  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-ERROR-NO-USER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-SC-DEPLOY-BOARDMEMBER
+  imports TRUSTED-PROPOSE-SC-DEPLOY-PROPOSER
 
   claim <T><TT>
           <k> runExternalCalls(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
index 340668c33..ad8d61608 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
@@ -1,14 +1,16 @@
 require "../functions/functions-execute.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-PROPOSE-SEND-EGLD
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-sign.k b/multisig/protocol-correctness/proof/invariant/proof-sign.k
index c2a0ea9c4..f012a137e 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-sign.k
@@ -1,10 +1,10 @@
-require "../functions/proof-sign-empty-action.k"
-require "../functions/proof-sign-caller-not-user.k"
-require "../functions/proof-sign-caller-none.k"
-require "../functions/proof-sign-caller-proposer.k"
-require "../functions/proof-sign-no-signers.k"
-require "../functions/proof-sign-existing-signers-in-list.k"
-require "../functions/proof-sign-existing-signers-not-in-list.k"
+require "../functions/trusted-sign-empty-action.k"
+require "../functions/trusted-sign-caller-not-user.k"
+require "../functions/trusted-sign-caller-none.k"
+require "../functions/trusted-sign-caller-proposer.k"
+require "../functions/trusted-sign-no-signers.k"
+require "../functions/trusted-sign-existing-signers-in-list.k"
+require "../functions/trusted-sign-existing-signers-not-in-list.k"
 
 module PROOF-SIGN
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/make-trusted.py b/multisig/protocol-correctness/proof/make-trusted.py
new file mode 100755
index 000000000..3eafc8b1b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/make-trusted.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+import sys
+
+def naturalNumbers():
+  i = 1
+  while True:
+    yield i
+    i += 1
+
+DEFAULT = 0
+PROOF = 1
+TRUSTED = 2
+
+def makeTrusted(file_name, lines):
+  state = DEFAULT
+  for (line_number, line) in lines:
+    normalized = line.strip()
+    if normalized.startswith('//@'):
+      if state == DEFAULT:
+        if normalized == '//@ proof':
+          state = PROOF
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ proof' allowed here.\n%s:%d"
+            % (file_name, line_number))
+      elif state == PROOF:
+        if normalized == '//@ trusted':
+          state = TRUSTED
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ trusted' allowed here.\n%s:%d"
+            % (file_name, line_number))
+      elif state == TRUSTED:
+        if normalized == '//@ end':
+          state = DEFAULT
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ end' allowed here.\n%s:%d"
+            % (file_name, line_number))
+    else:
+      if state == DEFAULT:
+        pass
+      else:
+        unindented = line.lstrip()
+        indentation = ' ' * (len(line) - len(unindented))
+        if state == PROOF:
+          line = indentation + '// ' + unindented
+        elif state == TRUSTED:
+          if unindented.startswith('// '):
+            line = indentation + unindented[3:]
+          else:
+            raise Exception(
+              "Expected trusted lines to be commented.\n%s:%d"
+              % (file_name, line_number))
+    yield line
+
+def main(argv):
+  if len(argv) != 2:
+    raise Exception('Wrong number of arguments, expected an input and an output file name.')
+  with open(argv[0], 'r') as f:
+    with open(argv[1], 'w') as g:
+      g.writelines(makeTrusted(argv[0], zip(naturalNumbers(), f)))
+
+if __name__ == '__main__':
+  main(sys.argv[1:])
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/map/Makefile b/multisig/protocol-correctness/proof/map/Makefile
index a0c7c98c0..ff0e645c5 100644
--- a/multisig/protocol-correctness/proof/map/Makefile
+++ b/multisig/protocol-correctness/proof/map/Makefile
@@ -10,8 +10,8 @@ include map.mak
 
 .PHONY: all clean execution
 
-all: out/map.proof.timestamp
+all: .out/map.proof.timestamp
 
-execution: out/map.execution.timestamp
+execution: .out/map.execution.timestamp
 
 clean: map.clean
diff --git a/multisig/protocol-correctness/proof/map/map.mak b/multisig/protocol-correctness/proof/map/map.mak
index 8d7d044c2..e47934d3b 100644
--- a/multisig/protocol-correctness/proof/map/map.mak
+++ b/multisig/protocol-correctness/proof/map/map.mak
@@ -1,4 +1,4 @@
-MAP_OUT_PREFIX=out/map.
+MAP_OUT_PREFIX=.out/map.
 
 MAP_ALL := $(wildcard $(MAP_DIR)/*.k)
 MAP_PROOFS := $(wildcard $(MAP_DIR)/proof-*.k)
diff --git a/multisig/protocol-correctness/proof/properties/Makefile b/multisig/protocol-correctness/proof/properties/Makefile
index 6bce66294..c0960b6cd 100644
--- a/multisig/protocol-correctness/proof/properties/Makefile
+++ b/multisig/protocol-correctness/proof/properties/Makefile
@@ -19,8 +19,8 @@ include properties.mak
 
 .PHONY: all clean execution
 
-all: out/properties.proof.timestamp
+all: .out/properties.proof.timestamp
 
-execution: out/properties.execution.timestamp
+execution: .out/properties.execution.timestamp
 
 clean: properties.clean
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
index d44bc0851..380798c1c 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
@@ -1,12 +1,12 @@
 require "../map/proof-map-semantics.k"
 
-require "../functions/proof-sign-empty-action.k"
-require "../functions/proof-sign-caller-not-user.k"
-require "../functions/proof-sign-caller-none.k"
-require "../functions/proof-sign-caller-proposer.k"
-require "../functions/proof-sign-no-signers.k"
-require "../functions/proof-sign-existing-signers-in-list.k"
-require "../functions/proof-sign-existing-signers-not-in-list.k"
+require "../functions/trusted-sign-empty-action.k"
+require "../functions/trusted-sign-caller-not-user.k"
+require "../functions/trusted-sign-caller-none.k"
+require "../functions/trusted-sign-caller-proposer.k"
+require "../functions/trusted-sign-no-signers.k"
+require "../functions/trusted-sign-existing-signers-in-list.k"
+require "../functions/trusted-sign-existing-signers-not-in-list.k"
 
 require "proof-board-members-sign-for.k"
 
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
index b59211c92..fe0c62479 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
@@ -1,12 +1,12 @@
 require "../map/proof-map-semantics.k"
 
-require "../functions/proof-sign-empty-action.k"
-require "../functions/proof-sign-caller-not-user.k"
-require "../functions/proof-sign-caller-none.k"
-require "../functions/proof-sign-caller-proposer.k"
-require "../functions/proof-sign-no-signers.k"
-require "../functions/proof-sign-existing-signers-in-list.k"
-require "../functions/proof-sign-existing-signers-not-in-list.k"
+require "../functions/trusted-sign-empty-action.k"
+require "../functions/trusted-sign-caller-not-user.k"
+require "../functions/trusted-sign-caller-none.k"
+require "../functions/trusted-sign-caller-proposer.k"
+require "../functions/trusted-sign-no-signers.k"
+require "../functions/trusted-sign-existing-signers-in-list.k"
+require "../functions/trusted-sign-existing-signers-not-in-list.k"
 
 module TRUSTED-BOARD-MEMBERS-SIGN-FOR
   imports PROPERTIES-EXECUTE
diff --git a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
index 56f615e14..f3fa3fe77 100644
--- a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
+++ b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
@@ -4,9 +4,10 @@ require "proof-board-members-sign-for.k"
 require "proof-board-members-sign-for-2.k"
 require "proof-board-members-sign-for-3.k"
 
-require "../functions/proof-propose-action-BoardMember.k"
-require "../functions/proof-propose-action-Proposer.k"
-require "../functions/proof-propose-action-error.k"
+require "../functions/trusted-propose-action-BoardMember.k"
+require "../functions/trusted-propose-action-Proposer.k"
+require "../functions/trusted-propose-action-error-no-user.k"
+require "../functions/trusted-propose-action-error-no-role.k"
 
 module PROOF-CAN-PROPOSE-AND-EXECUTE
   imports MAP-EXECUTE
@@ -20,7 +21,8 @@ module PROOF-CAN-PROPOSE-AND-EXECUTE
   imports TRUSTED-COUNT-CAN-SIGN
   imports TRUSTED-MAP-SEMANTICS
 
-  imports TRUSTED-PROPOSE-ACTION-ERROR
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
   imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
   imports TRUSTED-PROPOSE-ACTION-PROPOSER
 
diff --git a/multisig/protocol-correctness/proof/properties/properties.mak b/multisig/protocol-correctness/proof/properties/properties.mak
index 69abd3f70..f447af5ce 100644
--- a/multisig/protocol-correctness/proof/properties/properties.mak
+++ b/multisig/protocol-correctness/proof/properties/properties.mak
@@ -1,4 +1,4 @@
-PROPERTIES_OUT_PREFIX=out/properties.
+PROPERTIES_OUT_PREFIX=.out/properties.
 
 PROPERTIES_ALL := $(wildcard $(PROPERTIES_DIR)/*.k)
 PROPERTIES_PROOFS := $(wildcard $(PROPERTIES_DIR)/proof-*.k)
diff --git a/multisig/protocol-correctness/proof/trusted-deps.py b/multisig/protocol-correctness/proof/trusted-deps.py
new file mode 100755
index 000000000..2dd89f55b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/trusted-deps.py
@@ -0,0 +1,359 @@
+#!/usr/bin/env python3
+import sys
+
+def isIdentifierChar(c):
+  return c.isalnum() or c == '_' or c == '-'
+
+class StringParser:
+  DEFAULT = 0
+  STRING = 1
+  ESCAPE = 2
+  def __init__(self):
+    self.__state = StringParser.DEFAULT
+    self.__terminator = '"'
+    self.__contents = []
+
+  def processCharImmediate(self, c):
+    list(self.processChar(c))
+
+  def processChar(self, c):
+    if self.__state == StringParser.DEFAULT:
+      if c == '"':
+        self.__state = StringParser.STRING
+        self.__terminator = '"'
+        self.__contents = []
+      elif c == "'":
+        self.__state = StringParser.STRING
+        self.__terminator = "'"
+        self.__contents = []
+      else:
+        return c
+    elif self.__state == StringParser.STRING:
+      if c == self.__terminator:
+        self.__state = StringParser.DEFAULT
+        return ' '
+      elif c == '\\':
+        self.__state = StringParser.ESCAPE
+        self.__contents.append(c)
+      else:
+        self.__contents.append(c)
+    elif self.__state == StringParser.ESCAPE:
+      self.__state = StringParser.STRING
+      self.__contents.append(c)
+    else:
+      assert False
+    return ''
+
+  def inString(self):
+    return self.__state != StringParser.DEFAULT
+  
+  def string(self):
+    return ''.join(self.__contents)
+
+class CommentParser:
+  DEFAULT = 0
+  SLASH = 1
+  LINECOMMENT = 2
+  MULTILINECOMMENT = 3
+  MULTILINECOMMENTSTAR = 4
+
+  def __init__(self):
+    self.__state = CommentParser.DEFAULT
+
+  def processChar(self, c):
+    if self.__state == CommentParser.DEFAULT:
+      if c == '/':
+        self.__state = CommentParser.SLASH
+      else:
+        return c
+    elif self.__state == CommentParser.SLASH:
+      if c == '/':
+        self.__state = CommentParser.LINECOMMENT
+      elif c == '*':
+        self.__state = CommentParser.MULTILINECOMMENT
+      else:
+        return ['/', c]
+    elif self.__state == CommentParser.LINECOMMENT:
+      if c == '\n':
+        self.__state = CommentParser.DEFAULT
+        return c
+    elif self.__state == CommentParser.MULTILINECOMMENT:
+      if c == '*':
+        self.__state = CommentParser.MULTILINECOMMENTSTAR
+    elif self.__state == CommentParser.MULTILINECOMMENTSTAR:
+      if c == '*':
+        pass
+      elif c == '/':
+        self.__state = CommentParser.DEFAULT
+        return ' '
+      else:
+        self.__state = CommentParser.MULTILINECOMMENT
+    else:
+      assert False
+    return ''
+
+class ModuleParser:
+  DEFAULT = 0
+  MODULEPREFIX = 1
+  MODULEPREFIXSPACE = 2
+  MODULEPREFIXNAME = 3
+  MODULE = 4
+  MODULESUFFIX = 5
+  INWORD = 6
+  MODULEINWORD = 7
+  
+  PREFIX = 'module'
+  SUFFIX = 'endmodule'
+  
+  def __init__(self):
+    self.__state = ModuleParser.DEFAULT
+    self.__processed = []
+
+  def processChar(self, c):
+    if self.__state == ModuleParser.DEFAULT:
+      if c == ModuleParser.PREFIX[0]:
+        self.__processed = [c]
+        self.__state = ModuleParser.MODULEPREFIX
+      elif isIdentifierChar(c):
+        self.__state = ModuleParser.INWORD
+        return c
+      else:
+        return c
+    elif self.__state == ModuleParser.MODULEPREFIX:
+      if len(self.__processed) == len(ModuleParser.PREFIX):
+        if c.isspace():
+          self.__state = ModuleParser.MODULEPREFIXSPACE
+        else:
+          self.__processed.append(c)
+          if isIdentifierChar(c):
+            self.__state = ModuleParser.INWORD
+          else:
+            self.__state = ModuleParser.DEFAULT
+          return self.__processed
+      else:
+        assert len(self.__processed) < len(ModuleParser.PREFIX)
+        if c == ModuleParser.PREFIX[len(self.__processed)]:
+          self.__processed.append(c)
+        else:
+          self.__processed.append(c)
+          if isIdentifierChar(c):
+            self.__state = ModuleParser.INWORD
+          else:
+            self.__state = ModuleParser.DEFAULT
+          return self.__processed
+    elif self.__state == ModuleParser.MODULEPREFIXSPACE:
+      if c.isspace():
+        pass
+      elif isIdentifierChar(c):
+        self.__state = ModuleParser.MODULEPREFIXNAME
+      else:
+        assert False, [c]
+    elif self.__state == ModuleParser.MODULEPREFIXNAME:
+      if isIdentifierChar(c):
+        pass
+      else:
+        self.__state = ModuleParser.MODULE
+    elif self.__state == ModuleParser.MODULE:
+      if c == ModuleParser.SUFFIX[0]:
+        self.__processed = [c]
+        self.__state = ModuleParser.MODULESUFFIX
+      elif isIdentifierChar(c):
+        self.__state = ModuleParser.MODULEINWORD
+    elif self.__state == ModuleParser.MODULESUFFIX:
+      if len(self.__processed) == len(ModuleParser.SUFFIX):
+        if c.isspace() or c == '[':
+          self.__state = ModuleParser.DEFAULT
+          return c
+        else:
+          if isIdentifierChar(c):
+            self.__state = ModuleParser.MODULEINWORD
+          else:
+            self.__state = ModuleParser.MODULE
+      else:
+        assert len(self.__processed) < len(ModuleParser.SUFFIX)
+        if c == ModuleParser.SUFFIX[len(self.__processed)]:
+          self.__processed.append(c)
+        else:
+          if isIdentifierChar(c):
+            self.__state = ModuleParser.MODULEINWORD
+          else:
+            self.__state = ModuleParser.MODULE
+    elif self.__state == ModuleParser.INWORD:
+      if not isIdentifierChar(c):
+        self.__state = ModuleParser.DEFAULT
+      return c
+    elif self.__state == ModuleParser.MODULEINWORD:
+      if not isIdentifierChar(c):
+        self.__state = ModuleParser.MODULE
+    else:
+      assert False
+    return ''
+
+class AttributeParser:
+  DEFAULT = 0
+  ATTRIBUTE = 1
+  def __init__(self):
+    self.__state = AttributeParser.DEFAULT
+
+  def processChar(self, c):
+    if self.__state == AttributeParser.DEFAULT:
+      if c == '[':
+        self.__state = AttributeParser.ATTRIBUTE
+      else:
+        return c
+    elif self.__state == AttributeParser.ATTRIBUTE:
+      if c == ']':
+        self.__state = AttributeParser.DEFAULT
+        return ' '
+    else:
+      assert False
+    return ''
+
+class RequireParser:
+  DEFAULT = 0
+  INWORD = 1
+  INPREFIX = 2
+  PREFIXSPACE = 3
+  INSTRING = 4
+
+  PREFIX = 'require'
+
+  def __init__(self, dependencies):
+    self.__state = RequireParser.DEFAULT
+    self.__processed = []
+    self.__string_parser = StringParser()
+    self.__dependencies = dependencies
+
+  def processChar(self, c):
+    if self.__state == RequireParser.DEFAULT:
+      if c == RequireParser.PREFIX[0]:
+        self.__processed = [c]
+        self.__state = RequireParser.INPREFIX
+      elif isIdentifierChar(c):
+        self.__state = RequireParser.INWORD
+    elif self.__state == RequireParser.INWORD:
+      if not isIdentifierChar(c):
+        self.__state = RequireParser.DEFAULT
+    elif self.__state == RequireParser.INPREFIX:
+      if len(self.__processed) == len(RequireParser.PREFIX):
+        if c.isspace():
+          self.__state = RequireParser.PREFIXSPACE
+        else:
+          self.__string_parser.processCharImmediate(c)
+          if self.__string_parser.inString():
+            self.__state = RequireParser.INSTRING
+          elif isIdentifierChar(c):
+            self.__state = RequireParser.INWORD
+          else:
+            assert False
+      else:
+        assert len(self.__processed) < len(RequireParser.PREFIX)
+        if c == RequireParser.PREFIX[len(self.__processed)]:
+          self.__processed.append(c)
+        elif isIdentifierChar(c):
+          self.__state = RequireParser.INWORD
+        else:
+          self.state = RequireParser.DEFAULT
+    elif self.__state == RequireParser.PREFIXSPACE:
+      if not c.isspace():
+        self.__string_parser.processCharImmediate(c)
+        if self.__string_parser.inString():
+          self.__state = RequireParser.INSTRING
+        else:
+          assert False, [c]
+    elif self.__state == RequireParser.INSTRING:
+      self.__string_parser.processCharImmediate(c)
+      if not self.__string_parser.inString():
+        self.__dependencies.append(self.__string_parser.string())
+        self.__state = RequireParser.DEFAULT
+    else:
+      assert False
+    return ''
+
+  def inRequire(self):
+    return not self.__state in [RequireParser.DEFAULT, RequireParser.INWORD]
+
+  def inString(self):
+    return self.__state == RequireParser.INSTRING
+
+  def afterKeyword(self):
+    return (
+      self.__state in [RequireParser.PREFIXSPACE, RequireParser.INSTRING]
+      or (
+        self.__state == RequireParser.INPREFIX
+        and len(self.__processed) == len(RequireParser.PREFIX))
+    )
+
+def conditionalProcessAndIterate(c, skip_condition, parser, next):
+  if skip_condition():
+    if next:
+      next(c)
+  else:
+    for d in parser.processChar(c):
+      if next:
+        next(d)
+
+def extractRequire(chars):
+  extracted = []
+  string_parser = StringParser()
+  comment_parser = CommentParser()
+  module_parser = ModuleParser()
+  attribute_parser = AttributeParser()
+  require_parser = RequireParser(extracted)
+  for c in chars:
+    conditionalProcessAndIterate(c, lambda: string_parser.inString() or require_parser.inString(), comment_parser,
+      lambda d: conditionalProcessAndIterate(d, require_parser.afterKeyword, string_parser,
+        lambda e: conditionalProcessAndIterate(e, require_parser.inString, attribute_parser,
+          lambda f: conditionalProcessAndIterate(f, require_parser.inRequire, module_parser,
+            lambda g: conditionalProcessAndIterate(g, lambda: False, require_parser, None)
+          )
+        )
+      )
+    )
+  return extracted
+
+def printRequire(rule_name, identifying_prefix, prefix_to_add, required):
+  required = [r for r in required if r.startswith(identifying_prefix)]
+  if required:
+    print('%s : \\' % rule_name)
+    for r in required[:-1]:
+      print('\t%s%s \\' % (prefix_to_add, r))
+    print('\t%s%s' % (prefix_to_add, required[-1]))
+
+
+def assertEquals(expected, actual):
+  assert expected == actual, "Expected '%s' but got '%s'." % (expected, actual)
+
+def runTests():
+  assertEquals([], extractRequire(''))
+  assertEquals(['f.k'], extractRequire('require "f.k"'))
+  assertEquals(['f.k'], extractRequire('require/**/"f.k"'))
+  assertEquals(['f.k'], extractRequire('require/*/*/"f.k"'))
+  assertEquals(['f.k'], extractRequire('require/***/"f.k"'))
+  assertEquals([], extractRequire('// require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m require "g.k" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m /*endmodule*/ require "g.k" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m // endmodule\n require "g.k" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m require "g.k/*" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m endmodules require "g.k" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m endmodulesendmodule require "g.k" endmodule require "f.k"'))
+  assertEquals(['f.k'], extractRequire('module m endmodule[require "g.k"]require "f.k"'))
+
+USAGE = '''Wrong number of arguments, expected:
+* an input file
+* a Makefile rule name
+* a prefix that identifies dependencies
+* a prefix to be added to all dependencies.
+'''
+
+def main(argv):
+  runTests()
+  if len(argv) != 4:
+    raise Exception(USAGE)
+  with open(argv[0], 'r') as f:
+    printRequire(argv[1], argv[2], argv[3], extractRequire(f.read()))
+
+if __name__ == '__main__':
+  main(sys.argv[1:])
\ No newline at end of file

From 6921ba49a2fd20aa30d189148508f84e9060c4ac Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 8 Apr 2021 11:06:18 +0300
Subject: [PATCH 17/37] Prepare actions for malicious user proofs

---
 multisig/.gitignore                           |  2 +
 multisig/WORKSPACE.bazel                      |  0
 multisig/kompile_tool/BUILD                   | 12 +++
 multisig/kompile_tool/kompile.sh              |  5 ++
 multisig/kompile_tool/prepare-k.sh            |  9 +++
 .../proof/execution-proof.k                   |  4 +-
 .../proof/functions/BUILD                     |  7 ++
 .../proof/functions/Makefile                  |  2 +-
 .../proof/functions/functions-dependency.mak  |  3 +-
 .../proof/functions/proof-count-can-sign.k    | 57 +++++++++++++
 .../proof-discard-action-has-signers.k        | 76 ++++++++++++++++++
 .../functions/proof-discard-action-no-role.k  | 63 +++++++++++++++
 .../proof-discard-action-no-signers.k         | 76 ++++++++++++++++++
 .../functions/proof-discard-action-no-user.k  | 63 +++++++++++++++
 .../proof-discard-action-no-valid-signers.k   | 76 ++++++++++++++++++
 .../proof/functions/proof.bzl                 | 33 ++++++++
 .../protocol-correctness/proof/invariant.k    |  1 +
 .../proof/invariant/invariant-execution.k     | 80 +++++++++++++++++++
 .../proof/invariant/proof-discard-action.k    | 13 ++-
 .../proof/make-trusted.py                     |  2 +-
 20 files changed, 578 insertions(+), 6 deletions(-)
 create mode 100644 multisig/.gitignore
 create mode 100644 multisig/WORKSPACE.bazel
 create mode 100644 multisig/kompile_tool/BUILD
 create mode 100755 multisig/kompile_tool/kompile.sh
 create mode 100755 multisig/kompile_tool/prepare-k.sh
 create mode 100644 multisig/protocol-correctness/proof/functions/BUILD
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof.bzl

diff --git a/multisig/.gitignore b/multisig/.gitignore
new file mode 100644
index 000000000..6bf4b1129
--- /dev/null
+++ b/multisig/.gitignore
@@ -0,0 +1,2 @@
+kompile_tool/k
+bazel-*
\ No newline at end of file
diff --git a/multisig/WORKSPACE.bazel b/multisig/WORKSPACE.bazel
new file mode 100644
index 000000000..e69de29bb
diff --git a/multisig/kompile_tool/BUILD b/multisig/kompile_tool/BUILD
new file mode 100644
index 000000000..23cac3f07
--- /dev/null
+++ b/multisig/kompile_tool/BUILD
@@ -0,0 +1,12 @@
+sh_binary(
+  name = "kompile_tool",
+  srcs = ["kompile.sh"],
+  deps = [":k_release"],
+  data = [":k_release"],
+  visibility = ["//visibility:public"],
+)
+
+sh_library(
+  name = "k_release",
+  data = glob(["k/**"]),
+)
\ No newline at end of file
diff --git a/multisig/kompile_tool/kompile.sh b/multisig/kompile_tool/kompile.sh
new file mode 100755
index 000000000..80f6ec980
--- /dev/null
+++ b/multisig/kompile_tool/kompile.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+# Workaround a Bazel bug, kompile should be available in runfiles.
+KOMPILE=`find . -name kompile | head -n 1`
+$KOMPILE "$@"
\ No newline at end of file
diff --git a/multisig/kompile_tool/prepare-k.sh b/multisig/kompile_tool/prepare-k.sh
new file mode 100755
index 000000000..851ea4ec0
--- /dev/null
+++ b/multisig/kompile_tool/prepare-k.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+KOMPILE=`which kompile`
+BIN=`dirname $KOMPILE`
+RELEASE=`dirname $BIN`
+
+mkdir k
+
+cp -r $RELEASE/* k
diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index a298b33e6..4c01aec2e 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -418,7 +418,7 @@ module EXECUTION-PROOF-HELPERS
   syntax Bool ::= canSignFunction(UserRole)  [function, functional]
   rule canSignFunction(Role:UserRole) => Role ==K BoardMember
 
-  syntax Int ::= countCanSignFunction(signerIDs:ExpressionList, userIdToRole:Map)  [function, functional]
+  syntax Int ::= countCanSignFunction(signerIDs:ExpressionList, userIdToRole:Map)  [function, functional, smtlib(countCanSignFunction)]
   syntax Int ::= #countCanSignFunction(userID:Usize, signerIDs:ExpressionList, userIdToRole:Map, value:KItem)  [function, functional]
   rule countCanSignFunction([.], _:Map) => 0
   rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], UserId |-> Role:UserRole M:Map)
@@ -459,6 +459,8 @@ module EXECUTION-PROOF-HELPERS
     requires notBool canSignFunction(Value)
     [simplification]
 
+  rule 0 <=Int countCanSignFunction(_, _) => true  [simplification, smt-lemma]
+
 endmodule
 
 module CONCRETIZE-INSTRUMENTATION
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
new file mode 100644
index 000000000..d3cd77563
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -0,0 +1,7 @@
+load(":proof.bzl", "kompile")
+
+print("BUILD file")
+kompile(
+  name = "functions-execute",
+  srcs = ["functions-execute.k"]
+)
diff --git a/multisig/protocol-correctness/proof/functions/Makefile b/multisig/protocol-correctness/proof/functions/Makefile
index d0a9c8ef6..fd8cddb9a 100644
--- a/multisig/protocol-correctness/proof/functions/Makefile
+++ b/multisig/protocol-correctness/proof/functions/Makefile
@@ -15,6 +15,6 @@ include functions.mak
 
 all: $(FUNCTIONS_OUT_PREFIX)proof.timestamp
 
-execution: $(FUNCTIONS_OUT_PREFIX)execution.timestamp
+execution: $(FUNCTIONS_OUT_PREFIX)execution.timestamp $(FUNCTIONS_OUT_PREFIX)trusted.timestamp
 
 clean: functions.clean
diff --git a/multisig/protocol-correctness/proof/functions/functions-dependency.mak b/multisig/protocol-correctness/proof/functions/functions-dependency.mak
index 579b530db..7b9623076 100644
--- a/multisig/protocol-correctness/proof/functions/functions-dependency.mak
+++ b/multisig/protocol-correctness/proof/functions/functions-dependency.mak
@@ -1,3 +1,4 @@
 FUNCTIONS_ALL := $(wildcard $(FUNCTIONS_DIR)/*.k)
 FUNCTIONS_PROOFS := $(wildcard $(FUNCTIONS_DIR)/proof-*.k)
-FUNCTIONS_EXECUTION := $(filter-out $(FUNCTIONS_PROOFS), $(FUNCTIONS_ALL)) $(PROOF_EXECUTION)
+FUNCTIONS_TRUSTED := $(wildcard $(FUNCTIONS_DIR)/trusted-*.k)
+FUNCTIONS_EXECUTION := $(filter-out $(FUNCTIONS_TRUSTED), $(filter-out $(FUNCTIONS_PROOFS), $(FUNCTIONS_ALL))) $(PROOF_EXECUTION)
diff --git a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
new file mode 100644
index 000000000..4f1571d68
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
@@ -0,0 +1,57 @@
+//@ proof
+module PROOF-COUNT-CAN-SIGN
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-COUNT-CAN-SIGN
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T> <TT>
+          <k>
+            call(countCanSign(SignerIds:ExpressionList)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:List,
+              .Map
+              )
+        </TT> </T>
+      => <T> <TT>
+          <k>
+            evaluate(u(countCanSignFunction(SignerIds, opaque(UserIdToRole)))) ~> K
+          </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables)
+        </TT> </T>
+    requires true
+        andBool isKResult(SignerIds)
+        andBool listElementsAreUsize(SignerIds)
+        andBool userIdToRoleInvariant(UserIdToRole)
+    ensures true
+  //@ proof
+  //@ trusted
+  // [trusted]
+  //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
new file mode 100644
index 000000000..514ae10f5
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-count-can-sign.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-DISCARD-ACTION-HAS-SIGNERS
+  imports FUNCTIONS-EXECUTE
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-HAS-SIGNERS
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(discardAction(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              (ActionId |-> SignerIds _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool isKResult(SignerIds)
+      andBool listElementsAreUsize(SignerIds)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+
+      andBool (Role ==K BoardMember orBool Role ==K Proposer)
+      andBool countCanSignFunction(SignerIds, opaque(UserIdToRole)) >Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
new file mode 100644
index 000000000..5e10ca599
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
@@ -0,0 +1,63 @@
+//@ proof
+module PROOF-DISCARD-ACTION-NO-ROLE
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-ROLE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(discardAction(_ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
new file mode 100644
index 000000000..81cb29859
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-count-can-sign.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-DISCARD-ACTION-NO-SIGNERS
+  imports FUNCTIONS-EXECUTE
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-SIGNERS
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(discardAction(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionId |-> _:Action ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool isKResult(SignerIds)
+      andBool listElementsAreUsize(SignerIds)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+
+      andBool (Role ==K BoardMember orBool Role ==K Proposer)
+      andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
new file mode 100644
index 000000000..8cb87b3b2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
@@ -0,0 +1,63 @@
+//@ proof
+module PROOF-DISCARD-ACTION-NO-USER
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-USER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(discardAction(_ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
new file mode 100644
index 000000000..2b70ff79a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-count-can-sign.k"
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
+  imports FUNCTIONS-EXECUTE
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-VALID-SIGNERS
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(discardAction(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionId |-> _:Action ActionData:Map,
+              ActionId |-> SignerIds ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool isKResult(SignerIds)
+      andBool listElementsAreUsize(SignerIds)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+
+      andBool (Role ==K BoardMember orBool Role ==K Proposer)
+      andBool countCanSignFunction(SignerIds, opaque(UserIdToRole)) ==Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof.bzl b/multisig/protocol-correctness/proof/functions/proof.bzl
new file mode 100644
index 000000000..bc09a1941
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof.bzl
@@ -0,0 +1,33 @@
+def _kompile_impl(ctx):
+  output_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled')
+  if len(ctx.files.srcs) != 1:
+    fail
+  input_names = [s.path for s in ctx.files.srcs]
+  # TODO: Make this work if the file name is not based on the target name.
+  ctx.actions.run(
+      inputs=ctx.files.srcs,
+      outputs=[output_dir],
+      arguments=input_names,
+      progress_message="Kompiling %s." % ctx.files.srcs[0].path,
+      # tools=depset(["//kompile_tool"]),
+      executable=ctx.executable.kompile_tool)
+  print("here")
+  return [
+      DefaultInfo(
+          files = depset([ output_dir ]),
+      )
+  ]
+
+kompile = rule(
+    implementation = _kompile_impl,
+    attrs = {
+        "deps": attr.label_list(),
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "kompile_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool"),
+        ),
+    },
+)
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 31d33003e..0de867c1e 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -52,6 +52,7 @@ module INVARIANT-HELPERS
     => true
       andBool isExpressionList(V) andBool listElementsAreUsize(V) // valuesAreExpressionListOfUsize(ActionSigners)
       andBool isKResult(V)  // valuesAreKResult(ActionSigners)
+      andBool valueIsNotEmpty(V, rExpressionList)  // valuesAreNotEmpty(ActionSigners, rExpressionList)
 
       andBool actionSignersInvariant(ActionSigners)
     [simplification]
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index acf647fe2..76ef99d64 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -310,6 +310,85 @@ module SIGN-INSTRUMENTATION
       andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
 endmodule
 
+module DISCARD-ACTION-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+  imports PROOF-INSTRUMENTATION
+  imports EXECUTION-PROOF
+  imports PSEUDOCODE
+
+  syntax KItem ::= splitDiscardAction(actionId:Usize)
+  syntax KItem ::= splitDiscardAction1(actionId:Usize)
+  syntax KItem ::= splitDiscardAction2(actionId:Usize)
+  syntax KItem ::= splitDiscardAction3(actionId:Usize)
+  syntax KItem ::= splitDiscardAction4(actionId:Usize)
+
+  rule  preCall
+        ~> (.K => splitDiscardAction(ActionId))
+        ~> call(discardAction(ActionId:Usize))
+    [priority(20)]
+
+  rule  <k> splitDiscardAction(ActionId:Usize)
+            =>  branchK(
+                  Caller in_keys(AddressToUserId),
+                  splitDiscardAction1(ActionId),
+                  .K
+                )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>Caller:KItem</caller-address>
+
+  rule  <k> splitDiscardAction1(ActionId:Usize)
+            =>    makeConcreteValue(Caller, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[Caller] in_keys(UserIdToRole),
+                    splitDiscardAction2(ActionId),
+                    .K
+                  )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>Caller:KItem</caller-address>
+    requires Caller in_keys(AddressToUserId)
+
+  rule  <k> splitDiscardAction2(ActionId:Usize)
+            =>    makeConcreteValue(AddressToUserId[Caller], rUserRole, UserIdToRole)
+              ~>  branchK(
+                    ActionId in_keys(ActionSigners),
+                    splitDiscardAction3(ActionId),
+                    splitDiscardAction4(ActionId)
+                  )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>Caller:KItem</caller-address>
+        <action-signers>ActionSigners:Map</action-signers>
+    requires Caller in_keys(AddressToUserId)
+
+  rule  <k> splitDiscardAction3(ActionId:Usize)
+            =>    makeConcreteValue(ActionId, rExpressionList, ActionSigners)
+              ~>  branchK(
+                    ActionId in_keys(ActionData),
+                    makeConcreteValue(ActionId, rAction, ActionData),
+                    splitDiscardAction4(ActionId)
+                  )
+        ...</k>
+        <action-data>ActionData</action-data>
+        <action-signers>ActionSigners</action-signers>
+    requires ActionId in_keys(ActionSigners)
+  rule  <k> splitDiscardAction4(ActionId:Usize)
+            =>    branchK(
+                    countCanSignFunction({ActionSigners[ActionId]}:>ExpressionList, opaque(UserIdToRole)) >Int 0,
+                    .K,
+                    .K
+                  )
+        ...</k>
+        <action-signers>ActionSigners</action-signers>
+        <user-roles> UserIdToRole:Map </user-roles>
+    requires ActionId in_keys(ActionSigners)
+      andBool isExpressionList(ActionSigners[ActionId])
+
+endmodule
+
 module INVARIANT-EXECUTION
   imports EXECUTION-PROOF
   imports FUNCTIONS-EXECUTE
@@ -323,6 +402,7 @@ module INVARIANT-EXECUTION
   imports PERFORM-ACTION-REMOVE-USER-INSTRUMENTATION
   imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports PROPOSE-SC-DEPLOY-INSTRUMENTATION
+  imports DISCARD-ACTION-INSTRUMENTATION
 
   imports COUNT-CAN-SIGN-PARTS
   imports INIT-LOOP-PARTS
diff --git a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
index fbdf20de6..d09b3ba4f 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
@@ -1,9 +1,18 @@
-require "proof-count-can-sign.k"
+require "../functions/trusted-discard-action-has-signers.k"
+require "../functions/trusted-discard-action-no-role.k"
+require "../functions/trusted-discard-action-no-signers.k"
+require "../functions/trusted-discard-action-no-user.k"
+require "../functions/trusted-discard-action-no-valid-signers.k"
 
 module PROOF-DISCARD-ACTION
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
-  imports TRUSTED-COUNT-CAN-SIGN
+
+  imports TRUSTED-DISCARD-ACTION-HAS-SIGNERS
+  imports TRUSTED-DISCARD-ACTION-NO-ROLE
+  imports TRUSTED-DISCARD-ACTION-NO-SIGNERS
+  imports TRUSTED-DISCARD-ACTION-NO-USER
+  imports TRUSTED-DISCARD-ACTION-NO-VALID-SIGNERS
 
   claim <T><TT>
           <k> runExternalCalls(
diff --git a/multisig/protocol-correctness/proof/make-trusted.py b/multisig/protocol-correctness/proof/make-trusted.py
index 3eafc8b1b..e2f125d0e 100755
--- a/multisig/protocol-correctness/proof/make-trusted.py
+++ b/multisig/protocol-correctness/proof/make-trusted.py
@@ -62,4 +62,4 @@ def main(argv):
       g.writelines(makeTrusted(argv[0], zip(naturalNumbers(), f)))
 
 if __name__ == '__main__':
-  main(sys.argv[1:])
\ No newline at end of file
+  main(sys.argv[1:])

From 9009962f238a74d39a00e2587407475a9c884d7e Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 8 Apr 2021 11:06:46 +0300
Subject: [PATCH 18/37] Refactor proofs in order to reuse them for malicious
 user properties.

---
 multisig/BUILD                                |   0
 multisig/kompile_tool/BUILD                   |  28 +
 multisig/kompile_tool/kmerge.sh               |   8 +
 multisig/kompile_tool/kompile-e.sh            |   8 +
 multisig/kompile_tool/kompile.sh              |  13 +-
 multisig/kompile_tool/kprove.sh               |  21 +
 multisig/kompile_tool/make-trusted.py         |  65 +++
 multisig/proof.bzl                            | 186 +++++++
 multisig/protocol-correctness/BUILD           |   7 +
 multisig/protocol-correctness/Makefile        |   2 +-
 multisig/protocol-correctness/proof/BUILD     |  31 ++
 .../proof/execution-proof-helpers.k           | 482 +++++++++++++++++
 .../proof/execution-proof.k                   | 491 ++----------------
 .../proof/functions/BUILD                     | 282 +++++++++-
 .../proof/functions/functions-execute.k       |   2 +-
 .../proof/functions/functions.mak             |   2 +-
 .../proof-discard-action-has-signers.k        |   2 +-
 ...roof-discard-action-no-signers-no-action.k |  75 +++
 .../proof-discard-action-no-signers.k         |   4 +-
 ...iscard-action-no-valid-signers-no-action.k |  79 +++
 .../proof-discard-action-no-valid-signers.k   |   2 +-
 .../proof-propose-sc-deploy-BoardMember.k     |   4 +-
 .../proof-propose-sc-deploy-Proposer.k        |   4 +-
 .../proof-propose-sc-deploy-error-no-role.k   |   4 +-
 .../proof-propose-sc-deploy-error-no-user.k   |   4 +-
 .../proof/functions/proof-unsign-Proposer.k   |  63 +++
 .../proof/functions/proof-unsign-no-action.k  |  62 +++
 .../proof/functions/proof-unsign-no-role.k    |  65 +++
 .../proof/functions/proof-unsign-no-signers.k |  65 +++
 .../proof/functions/proof-unsign-no-user.k    |  66 +++
 .../proof/functions/proof-unsign-not-signed.k |  66 +++
 .../functions/proof-unsign-only-signer.k      |  63 +++
 .../proof-unsign-other-signers-first.k        |  67 +++
 .../proof-unsign-other-signers-not-first.k    |  68 +++
 .../proof/functions/proof.bzl                 |  33 --
 .../protocol-correctness/proof/invariant.k    |   2 +
 .../proof/invariant/invariant-execution.k     | 174 ++++++-
 .../proof/invariant/invariant.mak             |   2 +-
 .../proof/invariant/proof-discard-action.k    |   4 +
 .../proof/invariant/proof-unsign.k            |  22 +-
 multisig/protocol-correctness/proof/map/BUILD |   8 +
 .../protocol-correctness/proof/map/map.mak    |   2 +-
 .../proof/properties/properties.mak           |   2 +-
 .../protocol-correctness/proof/settings.mak   |   2 +
 multisig/protocol-correctness/pseudocode.k    |  81 +--
 45 files changed, 2168 insertions(+), 555 deletions(-)
 create mode 100644 multisig/BUILD
 create mode 100755 multisig/kompile_tool/kmerge.sh
 create mode 100755 multisig/kompile_tool/kompile-e.sh
 create mode 100755 multisig/kompile_tool/kprove.sh
 create mode 100755 multisig/kompile_tool/make-trusted.py
 create mode 100644 multisig/proof.bzl
 create mode 100644 multisig/protocol-correctness/BUILD
 create mode 100644 multisig/protocol-correctness/proof/BUILD
 create mode 100644 multisig/protocol-correctness/proof/execution-proof-helpers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof.bzl
 create mode 100644 multisig/protocol-correctness/proof/map/BUILD

diff --git a/multisig/BUILD b/multisig/BUILD
new file mode 100644
index 000000000..e69de29bb
diff --git a/multisig/kompile_tool/BUILD b/multisig/kompile_tool/BUILD
index 23cac3f07..fd3cc088d 100644
--- a/multisig/kompile_tool/BUILD
+++ b/multisig/kompile_tool/BUILD
@@ -6,6 +6,34 @@ sh_binary(
   visibility = ["//visibility:public"],
 )
 
+sh_binary(
+  name = "kompile_e_tool",
+  srcs = ["kompile-e.sh"],
+  deps = [":k_release"],
+  data = [":k_release"],
+  visibility = ["//visibility:public"],
+)
+
+sh_binary(
+  name = "kprove_tool",
+  srcs = ["kprove.sh"],
+  deps = [":k_release"],
+  data = [":k_release"],
+  visibility = ["//visibility:public"],
+)
+
+sh_binary(
+  name = "ktrusted_tool",
+  srcs = ["make-trusted.py"],
+  visibility = ["//visibility:public"],
+)
+
+sh_binary(
+  name = "kmerge_tool",
+  srcs = ["kmerge.sh"],
+  visibility = ["//visibility:public"],
+)
+
 sh_library(
   name = "k_release",
   data = glob(["k/**"]),
diff --git a/multisig/kompile_tool/kmerge.sh b/multisig/kompile_tool/kmerge.sh
new file mode 100755
index 000000000..056366dae
--- /dev/null
+++ b/multisig/kompile_tool/kmerge.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -e
+
+OUTPUT=$1
+shift
+
+cat "$@" | sed 's/^.*\/\/@ Bazel remove\s*$/\/\/ Removed by Bazel + kmerge./' > $OUTPUT
diff --git a/multisig/kompile_tool/kompile-e.sh b/multisig/kompile_tool/kompile-e.sh
new file mode 100755
index 000000000..8988ce6f6
--- /dev/null
+++ b/multisig/kompile_tool/kompile-e.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -e
+
+PARENT_DIR=`dirname $0`
+
+KOMPILE=$PARENT_DIR/kompile_e_tool.runfiles/__main__/kompile_tool/k/bin/kompile
+$KOMPILE --backend haskell -I `pwd` -E "$@" > /dev/null
diff --git a/multisig/kompile_tool/kompile.sh b/multisig/kompile_tool/kompile.sh
index 80f6ec980..cce0ea7f3 100755
--- a/multisig/kompile_tool/kompile.sh
+++ b/multisig/kompile_tool/kompile.sh
@@ -1,5 +1,12 @@
 #!/usr/bin/env bash
 
-# Workaround a Bazel bug, kompile should be available in runfiles.
-KOMPILE=`find . -name kompile | head -n 1`
-$KOMPILE "$@"
\ No newline at end of file
+set -e
+
+PARENT_DIR=`dirname $0`
+
+OUTPUT_DIR=`dirname $1`
+OUTPUT_DIR=`dirname $OUTPUT_DIR`
+shift
+
+KOMPILE=$PARENT_DIR/kompile_tool.runfiles/__main__/kompile_tool/k/bin/kompile
+$KOMPILE --backend haskell -I `pwd` --directory $OUTPUT_DIR "$@"
diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
new file mode 100755
index 000000000..250af0272
--- /dev/null
+++ b/multisig/kompile_tool/kprove.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+
+PARENT_DIR=`dirname $0`
+OUTPUT=$1
+shift
+
+KOMPILE_DIR=`dirname $1`
+shift
+
+TMP_DIR=$1
+shift
+
+cp -rL $KOMPILE_DIR $TMP_DIR
+chmod -R a+w $TMP_DIR/*
+
+KPROVE=$PARENT_DIR/kprove_tool.runfiles/__main__/kompile_tool/k/bin/kprove
+$KPROVE --haskell-backend-command "kore-exec --smt-timeout 4000" --directory "$TMP_DIR" "$@"
+# -I `pwd`
+touch $OUTPUT
diff --git a/multisig/kompile_tool/make-trusted.py b/multisig/kompile_tool/make-trusted.py
new file mode 100755
index 000000000..e2f125d0e
--- /dev/null
+++ b/multisig/kompile_tool/make-trusted.py
@@ -0,0 +1,65 @@
+#!/usr/bin/env python3
+import sys
+
+def naturalNumbers():
+  i = 1
+  while True:
+    yield i
+    i += 1
+
+DEFAULT = 0
+PROOF = 1
+TRUSTED = 2
+
+def makeTrusted(file_name, lines):
+  state = DEFAULT
+  for (line_number, line) in lines:
+    normalized = line.strip()
+    if normalized.startswith('//@'):
+      if state == DEFAULT:
+        if normalized == '//@ proof':
+          state = PROOF
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ proof' allowed here.\n%s:%d"
+            % (file_name, line_number))
+      elif state == PROOF:
+        if normalized == '//@ trusted':
+          state = TRUSTED
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ trusted' allowed here.\n%s:%d"
+            % (file_name, line_number))
+      elif state == TRUSTED:
+        if normalized == '//@ end':
+          state = DEFAULT
+        else:
+          raise Exception(
+            "Unexpected trusted directive, only '//@ end' allowed here.\n%s:%d"
+            % (file_name, line_number))
+    else:
+      if state == DEFAULT:
+        pass
+      else:
+        unindented = line.lstrip()
+        indentation = ' ' * (len(line) - len(unindented))
+        if state == PROOF:
+          line = indentation + '// ' + unindented
+        elif state == TRUSTED:
+          if unindented.startswith('// '):
+            line = indentation + unindented[3:]
+          else:
+            raise Exception(
+              "Expected trusted lines to be commented.\n%s:%d"
+              % (file_name, line_number))
+    yield line
+
+def main(argv):
+  if len(argv) != 2:
+    raise Exception('Wrong number of arguments, expected an input and an output file name.')
+  with open(argv[0], 'r') as f:
+    with open(argv[1], 'w') as g:
+      g.writelines(makeTrusted(argv[0], zip(naturalNumbers(), f)))
+
+if __name__ == '__main__':
+  main(sys.argv[1:])
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
new file mode 100644
index 000000000..d38860a3a
--- /dev/null
+++ b/multisig/proof.bzl
@@ -0,0 +1,186 @@
+KompileInfo = provider(fields=["files"])
+KtrustedInfo = provider(fields=["trusted"])
+
+def _kompile_impl(ctx):
+  output_files = [
+    ctx.actions.declare_file(ctx.label.name + '-kompiled/' + name)
+    for name in [
+      'allRules.txt', 'cache.bin', 'compiled.bin', 'compiled.txt',
+      'configVars.sh', 'definition.kore', 'macros.kore', 'mainModule.txt',
+      'parsed.txt', 'syntaxDefinition.kore', 'timestamp']
+  ]
+  if len(ctx.files.srcs) != 1:
+    fail
+  input_names = [output_files[0].path] + [s.path for s in ctx.files.srcs]
+  # TODO: Make this work if the file name is not based on the target name.
+  ctx.actions.run(
+      inputs=depset(ctx.files.srcs, transitive = [dep[DefaultInfo].files for dep in ctx.attr.deps]),
+      outputs=output_files,
+      arguments=input_names,
+      progress_message="Kompiling %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kompile_tool)
+
+  return [
+      DefaultInfo(
+          files = depset(
+              output_files,
+              transitive = [dep[DefaultInfo].files for dep in ctx.attr.deps]
+          ),
+      ),
+      KompileInfo(files=output_files),
+  ]
+
+kompile = rule(
+    implementation = _kompile_impl,
+    attrs = {
+        "deps": attr.label_list(),
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "kompile_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool"),
+        ),
+    },
+    executable = False,
+)
+
+def _klibrary_impl(ctx):
+  if len(ctx.files.srcs) != 1:
+    fail
+  input_names = [s.path for s in ctx.files.srcs]
+  output_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled')
+  # TODO: Make this work if the file name is not based on the target name.
+  ctx.actions.run(
+      inputs=depset(ctx.files.srcs, transitive = [dep[DefaultInfo].files for dep in ctx.attr.deps]),
+      outputs=[output_dir],
+      arguments=input_names,
+      progress_message="Checking %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kompile_tool)
+  return [
+      DefaultInfo(
+          files = depset(ctx.files.srcs + [ output_dir ], transitive = [dep[DefaultInfo].files for dep in ctx.attr.deps]),
+      )
+  ]
+
+klibrary = rule(
+    implementation = _klibrary_impl,
+    attrs = {
+        "deps": attr.label_list(),
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "kompile_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kompile_e_tool"),
+        ),
+    },
+)
+
+def _ktrusted_impl(ctx):
+  if len(ctx.files.srcs) != 1:
+    fail
+
+  tmp_file = ctx.actions.declare_file(ctx.label.name + ".tmp.k")
+  ctx.actions.run(
+      inputs=depset(ctx.files.srcs),
+      outputs=[tmp_file],
+      arguments=[ctx.files.srcs[0].path, tmp_file.path],
+      progress_message="Trusting %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.ktrusted_tool)
+
+  output_file = ctx.actions.declare_file(ctx.label.name + ".k")
+  all_trusted = []
+  for dep in ctx.attr.trusted:
+    all_trusted += dep[KtrustedInfo].trusted
+  ctx.actions.run(
+      inputs=depset([tmp_file] + all_trusted),
+      outputs=[output_file],
+      arguments=[output_file.path, tmp_file.path] + [s.path for s in all_trusted],
+      progress_message="Merging %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kmerge_tool)
+  return [
+      KtrustedInfo(
+          trusted = output_file,
+      )
+  ]
+
+ktrusted = rule(
+    implementation = _ktrusted_impl,
+    attrs = {
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+        "ktrusted_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:ktrusted_tool"),
+        ),
+        "kmerge_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kmerge_tool"),
+        ),
+    },
+)
+
+def _kprove_impl(ctx):
+  if len(ctx.files.srcs) != 1:
+    fail
+  merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
+
+  all_trusted = []
+  for dep in ctx.attr.trusted:
+    all_trusted += [dep[KtrustedInfo].trusted]
+  ctx.actions.run(
+      inputs=depset(ctx.files.srcs + all_trusted),
+      outputs=[merged_file],
+      arguments=[merged_file.path] + [s.path for s in (ctx.files.srcs + all_trusted)],
+      progress_message="Preparing %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kmerge_tool)
+
+  output_file = ctx.actions.declare_file(ctx.label.name + '-proved-xyzzy')
+  tmp_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled-xyzzy')
+  # TODO: Make this work if the file name is not based on the target name.
+  ctx.actions.run(
+      inputs=depset([merged_file] + ctx.attr.semantics[KompileInfo].files),
+      outputs=[output_file, tmp_dir],
+      arguments=[output_file.path, ctx.attr.semantics[KompileInfo].files[0].path, tmp_dir.path, merged_file.path],
+      progress_message="Proving %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kprove_tool)
+  return [
+      DefaultInfo(
+          files = depset([ output_file ]),
+      )
+  ]
+
+kprove = rule(
+    implementation = _kprove_impl,
+    attrs = {
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
+        "kprove_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kprove_tool"),
+        ),
+        "kmerge_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kmerge_tool"),
+        ),
+    },
+)
+
+# # Given executable_file and runfile_file:
+# runfiles_root = executable_file.path + ".runfiles"
+# workspace_name = ctx.workspace_name
+# runfile_path = runfile_file.short_path
+# execution_root_relative_path = "%s/%s/%s" % (
+#     runfiles_root, workspace_name, runfile_path)
+
+#Args.add_all
\ No newline at end of file
diff --git a/multisig/protocol-correctness/BUILD b/multisig/protocol-correctness/BUILD
new file mode 100644
index 000000000..14747ce7c
--- /dev/null
+++ b/multisig/protocol-correctness/BUILD
@@ -0,0 +1,7 @@
+load("//:proof.bzl", "klibrary")
+
+klibrary(
+  name = "pseudocode-files",
+  srcs = ["pseudocode.k"],
+  visibility = ["//visibility:public"],
+)
\ No newline at end of file
diff --git a/multisig/protocol-correctness/Makefile b/multisig/protocol-correctness/Makefile
index 9e736d1cc..531df4789 100644
--- a/multisig/protocol-correctness/Makefile
+++ b/multisig/protocol-correctness/Makefile
@@ -8,7 +8,7 @@ CHECK_RESULT_RUN = if [ $$? -eq 0 ] ; then echo "passed $<"; mv $@.tmp $@; else
 
 execution.timestamp: execution.k *.k
 	@echo "Compiling $<"
-	@kompile $< --backend haskell
+	@kompile $(KOMPILE_FLAGS) $< --backend haskell
 	@touch execution.timestamp
 
 test: ${TEST_COMPARISON}
diff --git a/multisig/protocol-correctness/proof/BUILD b/multisig/protocol-correctness/proof/BUILD
new file mode 100644
index 000000000..205c37410
--- /dev/null
+++ b/multisig/protocol-correctness/proof/BUILD
@@ -0,0 +1,31 @@
+load("//:proof.bzl", "klibrary")
+
+klibrary(
+  name = "execution-proof-files",
+  srcs = ["execution-proof.k"],
+  deps = [
+      ":invariant-files",
+      ":execution-proof-helpers-files",
+  ],
+  visibility = ["//visibility:public"],
+)
+
+klibrary(
+  name = "execution-proof-helpers-files",
+  srcs = ["execution-proof-helpers.k"],
+  deps = [
+      "//protocol-correctness:pseudocode-files",
+      "//protocol-correctness/proof/map:map-files",
+  ],
+  visibility = ["//visibility:public"],
+)
+
+klibrary(
+  name = "invariant-files",
+  srcs = ["invariant.k"],
+  deps = [
+      ":execution-proof-helpers-files",
+      "//protocol-correctness:pseudocode-files"
+  ],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/protocol-correctness/proof/execution-proof-helpers.k b/multisig/protocol-correctness/proof/execution-proof-helpers.k
new file mode 100644
index 000000000..a979f8407
--- /dev/null
+++ b/multisig/protocol-correctness/proof/execution-proof-helpers.k
@@ -0,0 +1,482 @@
+require "protocol-correctness/pseudocode.k"
+require "protocol-correctness/proof/map/map-execute.k"
+
+module EXECUTION-PROOF-HELPERS
+  imports MAP-SYMBOLIC
+  imports SET
+
+  imports PSEUDOCODE
+  imports MAP-EXECUTE
+
+  // Expand and PropertyHandling form a stupid trick used to control symbolic
+  // function application.
+  // Any function that receives them as an argument should not depend on them,
+  // i.e it should have the same value for all possible PropertyHandling values.
+  syntax Expand ::= "expanded" | expand(Expand)
+  syntax PropertyHandling ::= "usesExpanded" | Expand
+  // TODO: Delete above or below.
+  syntax Int ::= expand(Int)  [function, functional, no-evaluators]
+  syntax Int ::= "usesExpanded"  [function, functional, no-evaluators]
+
+  rule isKResult(last(Es)) => true
+    requires isKResult(Es)
+    // TODO: Define a function called `lastCeilCondition`...
+    ensures pListLen([Es]) >Int 0
+    [simplification]
+
+  rule isUsize(last(Es)) => true
+    requires listElementsAreUsize([Es])
+    [simplification]
+
+  rule isKResult(lastToStart(Es)) => isKResult(Es)
+    [simplification]
+
+  rule listElementsAreUsize([lastToStart(Es)]) => listElementsAreUsize([Es])
+    [simplification]
+
+  rule isKResult(removeLast(Es)) => true
+    requires isKResult(Es)
+    ensures pListLen([Es]) >Int 0
+    [simplification]
+
+  rule listElementsAreUsize([removeLast(Es:ExpressionCSV)]) => true
+    requires listElementsAreUsize([Es])
+    [simplification]
+
+  rule pListLen(_) >=Int 0 => true  [simplification, smt-lemma]
+
+  rule addOneIfNotNegative(X:Int) >=Int 0 => X >=Int 0 [simplification]
+
+  // Override the default behaviour.
+  rule isDefaultValue(E:ExpressionList, rExpressionList)
+      => notBool (pListLen(E) >Int 0)
+  rule pListLen([#pushList(_, _)]) >Int 0 => true
+      [simplification]
+
+  syntax Bool ::= noCommonItem(Usize, Map, ExpressionList)  [function, functional]
+  rule noCommonItem(_:Usize, _:Map, [.]) => true
+  rule noCommonItem(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV])
+      =>  notBool (E in_keys(M))
+          andBool noCommonItem(add(U, u(1)), (E |-> U) M, [Es])
+
+  syntax Bool ::= noReusedIndexAddress(Usize, Map, ExpressionList)  [function, functional]
+  rule noReusedIndexAddress(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+  rule noReusedIndexAddress(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV] #as L)
+      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
+          andBool noReusedIndexAddress(add(U, u(1)), (U |-> E) M, [Es])
+
+  syntax Bool ::= noReusedIndexRole(Usize, Map, ExpressionList)  [function, functional]
+  rule noReusedIndexRole(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+  rule noReusedIndexRole(U:Usize, M:Map, [_:Expression , Es:ExpressionCSV] #as L)
+      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
+          andBool noReusedIndexRole(add(U, u(1)), (U |-> BoardMember) M, [Es])
+
+  syntax Bool ::= "forall-v-greater-or-equal-than-u-v-not-in-m" "(" Usize "," Map "," ExpressionList ")"   [function, functional]
+  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
+      =>  notBool U in_keys(M)
+  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [_:Expression , Es:ExpressionCSV])
+      =>  notBool U in_keys(M)
+          andBool forall-v-greater-or-equal-than-u-v-not-in-m(add(U, u(1)), M, [Es])
+
+  syntax Usize ::= usizeWithDefault(KItem, Usize)  [function, functional]
+  rule usizeWithDefault(uninitialized, Default:Usize) => Default
+  rule usizeWithDefault(V:Usize, _:Usize) => V
+
+  syntax Int ::= usizeToInt(Usize)  [function, functional]
+  rule usizeToInt(u(V:Int)) => V
+
+  syntax Bool ::= listElementsAreAddresses(ExpressionList)  [function, functional]
+  rule listElementsAreAddresses([.]) => true
+  rule listElementsAreAddresses([E:Expression , Es:ExpressionCSV])
+      => isAddress(E) andBool listElementsAreAddresses([Es])
+
+  syntax Bool ::= listElementsAreUsize(KItem)  [function, functional]
+  rule listElementsAreUsize([.]) => true
+  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
+      => isUsize(E) andBool listElementsAreUsize([Es])
+  rule listElementsAreUsize(_:KItem) => false
+    [owise]
+  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
+      => isUsize(E) andBool listElementsAreUsize([Es])
+    [simplification]
+
+  syntax Bool ::= valuesAreExpressionListOfUsize(Map)  [function, functional]
+  rule valuesAreExpressionListOfUsize(.Map) => true
+  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
+      =>  isExpressionList(V)
+          andBool listElementsAreUsize(V)
+          andBool valuesAreExpressionListOfUsize(M)
+  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
+      =>  isExpressionList(V)
+          andBool listElementsAreUsize(V)
+          andBool valuesAreExpressionListOfUsize(M)
+    [simplification]
+
+  syntax Bool ::= valuesAreKResult(Map)  [function, functional]
+  rule valuesAreKResult(.Map) => true
+  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
+      => isKResult(V) andBool valuesAreKResult(M)
+  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
+      => isKResult(V) andBool valuesAreKResult(M)
+    [simplification]
+
+  syntax Bool ::= valuesAreOfType(Map, ReflectionType)  [function, functional]
+  rule valuesAreOfType(.Map, _:ReflectionType) => true
+  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(V, T) andBool valuesAreOfType(M, T)
+  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(V, T) andBool valuesAreOfType(M, T)
+    [simplification]
+
+  syntax Bool ::= keysAreKResult(Map)  [function, functional]
+  rule keysAreKResult(.Map) => true
+  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
+      => isKResult(K) andBool keysAreKResult(M)
+  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
+      => isKResult(K) andBool keysAreKResult(M)
+    [simplification]
+
+  syntax Bool ::= keysAreOfType(Map, ReflectionType)  [function, functional]
+  rule keysAreOfType(.Map, _:ReflectionType) => true
+  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(K, T) andBool keysAreOfType(M, T)
+  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
+      => valueOfType(K, T) andBool keysAreOfType(M, T)
+    [simplification]
+
+  syntax Bool ::= valueIsNotEmpty(KItem, ReflectionType)  [function, functional]
+  rule valueIsNotEmpty(V:KItem, T:ReflectionType)
+      => notBool (V ==K defaultValue(T))
+
+  syntax Bool ::= valuesAreNotEmpty(Map, ReflectionType)  [function, functional]
+  rule valuesAreNotEmpty(.Map, _:ReflectionType) => true
+  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
+  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
+      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
+    [simplification]
+
+  syntax Bool ::= valuesAreDistinct(Map)  [function, functional]
+  rule valuesAreDistinct(.Map) => true
+  rule valuesAreDistinct((_:KItem |-> V:KItem M:Map) #as _:Map)
+      => valuesAreDistinct(M) andBool valueNotInMapValues(V, M)
+    [simplification]
+
+  syntax Bool ::= valueNotInMapValues(KItem, Map)  [function, functional]
+  rule valueNotInMapValues(_:KItem, .Map) => true
+  rule valueNotInMapValues(V1:KItem, (_:KItem |-> V2:KItem M:Map) #as _:Map)
+      => (notBool (V1 ==K V2)) andBool valueNotInMapValues(V1, M)
+    [simplification]
+  rule valueNotInMapValues(u(X:Int +Int 4), M:Map) => true
+    requires #noReusedIndexValue(X +Int 3, M, expanded)
+    [simplification]
+
+  syntax Bool ::= noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
+  syntax Bool ::= #noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
+
+  rule noReusedIndexValue(_Index:Int, .Map, _:PropertyHandling) => true
+
+  rule noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
+      => Index >Int usizeToInt(V) andBool noReusedIndexValue(Index, M, Expand)
+    [simplification(20)]
+  rule noReusedIndexValue(Index:Int, M:Map, Handling:PropertyHandling)
+      => true
+        andBool valueNotInMapValues(u(Index), M)
+        andBool #noReusedIndexValue(Index, M, Handling)
+    [simplification(50)]
+
+  rule #noReusedIndexValue(_Index:Int, .Map, expanded) => true
+  rule #noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
+      => Index >Int usizeToInt(V) andBool #noReusedIndexValue(Index, M, Expand)
+    [simplification(20)]
+  rule #noReusedIndexValue(Index:Int, M:Map, expand(Expand:Expand))
+      =>  noReusedIndexValue(Index +Int 1, M, Expand)
+    [simplification(50)]
+
+  rule #noReusedIndexValue(X:Int, M:Map, usesExpanded)
+      => true
+    requires false
+      orBool #noReusedIndexValue(X, M, expanded)
+      orBool (true
+          andBool valueNotInMapValues(u(X), M)
+          andBool #noReusedIndexValue(X +Int 1, M, expanded)
+      )
+      orBool (true
+          andBool valueNotInMapValues(u(X), M)
+          andBool valueNotInMapValues(u(X +Int 1), M)
+          andBool #noReusedIndexValue(X +Int 2, M, expanded)
+      )
+    [simplification]
+
+  rule #noReusedIndexValue(X:Int +Int 4, M:Map, expanded)
+      => true
+    requires #noReusedIndexValue(X +Int 3, M, expanded)
+    [simplification]
+  rule #noReusedIndexValue(X:Int +Int 2, M:Map, expanded)
+      => true
+    requires true
+      andBool #noReusedIndexValue(X +Int 3, M, expanded)
+      andBool valueNotInMapValues(u(X +Int 2), M)
+    [simplification]
+
+  syntax Bool ::= allValuesBecomeKeys(Map, Map)  [function, functional]
+  syntax Bool ::= #allValuesBecomeKeys(Map, Map)  [function, functional]
+
+  rule allValuesBecomeKeys(M:Map, N:Map) => #allValuesBecomeKeys(M, keysMap(N))
+
+  rule #allValuesBecomeKeys(.Map, _:Map) => true
+  // TODO: This does not work if the key is in the map. Fix it and everything else.
+  rule #allValuesBecomeKeys((_ |-> V M:Map) #as _:Map, N:Map)
+      => V in_keys(N) andBool #allValuesBecomeKeys(M, N)
+    [simplification]
+  rule #allValuesBecomeKeys(M:Map, (_ |-> _ N:Map) #as _:Map) => true
+    requires #allValuesBecomeKeys(M, N)
+    [simplification]
+
+  syntax Bool ::= mapsAreReverse(Map, Map) [function, functional]
+  syntax Bool ::= mapsAreReverseHalf(Map, Map) [function, functional]
+
+  rule mapsAreReverse(M:Map, N:Map)
+      => mapsAreReverseHalf(M, N) andBool mapsAreReverseHalf(N, M)
+
+  rule mapsAreReverseHalf(.Map, _:Map) => true
+  rule mapsAreReverseHalf((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
+      => V in_keys(N) andBool N[V] ==K K andBool mapsAreReverseHalf(M, N)
+    [simplification]
+
+  syntax Bool ::= mapIncluded(Map, Map) [function, functional]
+
+  rule mapIncluded(.Map, _:Map) => true
+  rule mapIncluded((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
+      => K in_keys(N) andBool N[K] ==K V andBool mapIncluded(M, N)
+    [simplification]
+  rule mapIncluded(M:Map, M:Map) => true
+    [simplification]
+  rule mapIncluded(M1:Map, _:KItem |-> _:KItem M2:Map) => true
+    requires M1 ==K M2
+    [simplification]
+  // Not sure why this does not work instead of the above:
+  rule mapIncluded(M:Map, _:KItem |-> _:KItem M:Map) => true
+    [simplification]
+
+  rule X:Int -Int X:Int => 0  [simplification]
+  // Int addition normalization
+  rule X:Int +Int (Y:Int +Int Z:Int) => (X +Int Y) +Int Z  [simplification]
+  // rule (X:Int +Int Y:Int) => (Y +Int X)  [simplification, concrete(X), symbolic(Y)]
+  rule (A:Int +Int I:Int) +Int B:Int => (A +Int B) +Int I [simplification, concrete(I), symbolic(A,B)]
+  //rule (X:Int +Int Y:Int) +Int Z:Int => X +Int (Y +Int Z) [simplification, concrete(Y), concrete(Z)]
+
+  syntax Bool ::= unusedIdsInMapKeys(lastIndex:Int, Map, expand:PropertyHandling)  [function, functional]
+
+  rule unusedIdsInMapKeys(_:Int, .Map, _:PropertyHandling) => true
+  rule unusedIdsInMapKeys(LastIndex:Int, (U:Usize |-> _:KItem M:Map) #as _:Map, Handling:PropertyHandling)
+    => unusedIdsInMapKeys(LastIndex, M, Handling)
+      andBool LastIndex >Int usizeToInt(U)
+    [simplification(30)]
+  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, expand(Expand:Expand))
+    => notBool u(LastIndex) in_keys(M)  // TODO: Maybe check before wrapping
+      andBool unusedIdsInMapKeys(LastIndex +Int 1, M, Expand)
+    [simplification]
+
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 4, M:Map, expanded)
+    => true
+    requires unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
+    [simplification]
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 2, M:Map, expanded)
+    => true
+    requires true
+      andBool notBool u(LastIndex +Int 2) in_keys(M)
+      andBool unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
+    [simplification]
+
+  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, usesExpanded)
+    => true
+    requires false
+      orBool unusedIdsInMapKeys(LastIndex, M, expanded)
+      orBool (true
+        andBool notBool u(LastIndex) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 1, M, expanded)
+      )
+      orBool (true
+        andBool notBool u(LastIndex) in_keys(M)
+        andBool notBool u(LastIndex +Int 1) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
+      )
+    [simplification]
+
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, keysMap(M):Map, usesExpanded)
+    => true
+    requires true
+        andBool notBool u(LastIndex +Int 1) in_keys(M)
+        andBool unusedIdsInMapKeys(LastIndex +Int 2, keysMap(M), expanded)
+    [simplification]
+
+  /*
+  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, M:Map, usesExpanded)
+    => true
+    requires notBool u(LastIndex +Int 1) in_keys(M)
+      andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
+    [simplification]
+  */
+
+  syntax Bool ::= unusedIdsInMapValues(lastIndex:Int, Map, handling:PropertyHandling)  [function, functional]
+  rule unusedIdsInMapValues(_:Int, .Map, _:PropertyHandling) => true
+  rule unusedIdsInMapValues(
+          LastIndex:Int,
+          (_:KItem |-> Value:Usize M:Map) #as _:Map,
+          Handling:PropertyHandling
+      )
+      => unusedIdsInMapValues(LastIndex, M, Handling)
+      andBool LastIndex >Int usizeToInt(Value)
+    [simplification(10)]
+  rule unusedIdsInMapValues(LastIndex:Int, M:Map, expand(_:Expand))
+      => unusedIdsInMapValues(LastIndex, M, expanded)
+
+  rule unusedIdsInMapValues(LastIndex:Int +Int 3, M:Map, _:PropertyHandling)
+      => true
+    requires unusedIdsInMapValues(LastIndex +Int 2, M, expanded)
+    [simplification]
+
+  rule unusedIdsInMapValues(LastIndex:Int, M:Map, usesExpanded)
+      => true
+    requires false
+      orBool unusedIdsInMapValues(LastIndex -Int 1, M, expanded)
+      orBool unusedIdsInMapValues(LastIndex, M, expanded)
+    [simplification]
+
+  syntax Bool ::= noMapKeyInList(Map, ExpressionList)  [function, functional]
+  rule noMapKeyInList(.Map, _:ExpressionList) => true
+  // TODO: Do I need this?
+  rule noMapKeyInList(.Map, [.]) => true
+    [simplification]
+  rule noMapKeyInList(M:Map, [E:Expression, .]) => true
+    requires notBool E in_keys(M)
+    [simplification]
+  rule noMapKeyInList((K:KItem |-> _:KItem M:Map) #as _:Map, L:ExpressionList)
+    => true
+      andBool notBool #listContains(L, K)
+      andBool noMapKeyInList(M, L)
+    [simplification]
+  rule noMapKeyInList(M:Map, [#pushList(L:ExpressionCSV, E:Expression)])
+    => true
+    requires noMapKeyInList(M, [L])
+      andBool notBool E in_keys(M)
+    [simplification]
+
+  syntax Map ::= keysMap(Map)  [function, functional]
+  rule keysMap(.Map) => .Map
+  rule keysMap((K:KItem |-> _:KItem M:Map) #as _:Map) => K |-> 0 keysMap(M)
+    [simplification]
+  rule X:KItem in_keys(keysMap(M:Map)) => X in_keys(M)
+    [simplification]
+
+  rule #Ceil(@M:Map (@K:KItem |-> @V:KItem))
+      =>  {(@K in_keys(@M)) #Equals false}
+          #And #Ceil(@M)
+          #And #Ceil(@K)
+          #And #Ceil(@V)
+    [anywhere, simplification(20)]
+
+  syntax Int ::= countMapValues(Map, KItem)  [function, functional, smtlib(countMapValues)]
+  rule countMapValues(.Map, _) => 0
+  rule countMapValues(((_ |-> U) M:Map) #as _:Map, V:KItem) => countMapValues(M, V) +Int countValue(U, V)
+    [simplification]
+
+  syntax Int ::= countValue(KItem, KItem) [function, functional, smtlib(countMapValue)]
+  rule countValue(V:KItem, V:KItem) => 1
+  rule countValue(_:KItem, _:KItem) => 0 [owise]
+  //  requires notBool (V1 ==K V2)
+
+  rule 0 <=Int countValue(_:KItem, _:KItem) => true [simplification, smt-lemma]
+  rule countValue(_:KItem, _:KItem) >=Int 0 => true [simplification]
+  rule countValue(_:KItem, _:KItem) <=Int 1 => true [simplification, smt-lemma]
+
+  rule 0 <=Int countMapValues(_, _) => true  [simplification, smt-lemma]
+  rule countMapValues(_, _) >=Int 0 => true  [simplification]
+
+  rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
+
+  rule countMapValues(_, _) +Int X:Int <=Int 0 => false
+    requires X >Int 0
+    [simplification]
+  // TODO: Replace these with generic int rules.
+  rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int X:Int >=Int 0 => true
+    requires X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int X:Int >Int 0 => true
+    requires X >Int 0
+    [simplification]
+  rule countValue(_, _) +Int X:Int >=Int 0 => true
+    requires X >=Int 0
+    [simplification]
+  rule countValue(_, _) +Int X:Int >Int 0 => true
+    requires X >Int 0
+    [simplification]
+  /*
+  rule countMapValues(_, _) +Int 1 >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int 2 >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int 1 +Int countMapValues(_, _) >Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int countMapValues(_, _) +Int X:Int >Int 0
+      => true
+    requires X >Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int countValue(_, _) >=Int 0 => true  [simplification]
+  rule countMapValues(_, _) +Int countValue(_, _) +Int X:Int >=Int 0
+      => true
+    requires X >=Int 0
+    [simplification]
+  rule countMapValues(_, _) +Int countMapValues(_, _) +Int countValue(_, _) +Int 1 >Int 0
+      => true
+    [simplification]
+  */
+
+  // TODO: Proof for this.
+  syntax Bool ::= canSignFunction(UserRole)  [function, functional]
+  rule canSignFunction(Role:UserRole) => Role ==K BoardMember
+
+  syntax Int ::= countCanSignFunction(signerIDs:ExpressionList, userIdToRole:Map)  [function, functional, smtlib(countCanSignFunction)]
+  syntax Int ::= #countCanSignFunction(userID:Usize, signerIDs:ExpressionList, userIdToRole:Map, value:KItem)  [function, functional]
+  rule countCanSignFunction([.], _:Map) => 0
+  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], UserId |-> Role:UserRole M:Map)
+      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires canSignFunction(Role)
+  rule countCanSignFunction([_:Expression, Es:ExpressionCSV], M)
+      => countCanSignFunction([Es], M)
+    [owise]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
+      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires canSignFunction(Role)
+    [simplification]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
+      => countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires notBool canSignFunction(Role)
+    [simplification]
+  rule countCanSignFunction(Es:ExpressionList, UserId |-> _:UserRole M:Map)
+      => countCanSignFunction(Es, M)
+    requires notBool #listContains(Es, UserId)
+    [simplification]
+  rule countCanSignFunction(Es:ExpressionList, concat(UserId, _:UserRole, M:Map))
+      => countCanSignFunction(Es, M)
+    requires notBool #listContains(Es, UserId)
+    [simplification]
+
+  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], concat(UserId1:KItem, Role:UserRole, M:Map))
+    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
+    [simplification]
+  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], concat(UserId1:KItem, Role:UserRole, M:Map))
+    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
+    [simplification]
+  rule #countCanSignFunction(UserId:Usize, Es:ExpressionList, M:Map, Value:UserRole)
+      => 1 +Int countCanSignFunction(Es, M[UserId <- undef])
+    requires canSignFunction(Value)
+    [simplification]
+  rule #countCanSignFunction(_:Usize, Es:ExpressionList, M:Map, Value:UserRole)
+      => countCanSignFunction(Es, M)
+    requires notBool canSignFunction(Value)
+    [simplification]
+
+  rule 0 <=Int countCanSignFunction(_, _) => true  [simplification, smt-lemma]
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 4c01aec2e..a54bdd710 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -1,468 +1,11 @@
-require "../pseudocode.k"
-require "invariant.k"
-require "map/map-execute.k"
+require "protocol-correctness/pseudocode.k"
+require "protocol-correctness/proof/invariant.k"
+require "protocol-correctness/proof/execution-proof-helpers.k"
 
 module EXECUTION-PROOF-SYNTAX
   imports PSEUDOCODE-SYNTAX
 endmodule
 
-module EXECUTION-PROOF-HELPERS
-  imports MAP-SYMBOLIC
-  imports SET
-
-  imports PSEUDOCODE
-  imports MAP-EXECUTE
-
-  // Expand and PropertyHandling form a stupid trick used to control symbolic
-  // function application.
-  // Any function that receives them as an argument should not depend on them,
-  // i.e it should have the same value for all possible PropertyHandling values.
-  syntax Expand ::= "expanded" | expand(Expand)
-  syntax PropertyHandling ::= "usesExpanded" | Expand
-  // TODO: Delete above or below.
-  syntax Int ::= expand(Int)  [function, functional, no-evaluators]
-  syntax Int ::= "usesExpanded"  [function, functional, no-evaluators]
-
-  syntax Int ::= pListLen(ExpressionList)  [function, functional, smtlib(pListLen)]
-  rule pListLen([.]) => 0
-  rule pListLen([_:Expression, Es:ExpressionCSV]) => 1 +Int pListLen([Es])
-
-  rule pListLen(_) >=Int 0 => true  [simplification, smt-lemma]
-
-  // Override the default behaviour.
-  rule isDefaultValue(E:ExpressionList, rExpressionList)
-      => notBool (pListLen(E) >Int 0)
-  rule pListLen([#pushList(_, _)]) >Int 0 => true
-      [simplification]
-
-  syntax Bool ::= noCommonItem(Usize, Map, ExpressionList)  [function, functional]
-  rule noCommonItem(_:Usize, _:Map, [.]) => true
-  rule noCommonItem(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV])
-      =>  notBool (E in_keys(M))
-          andBool noCommonItem(add(U, u(1)), (E |-> U) M, [Es])
-
-  syntax Bool ::= noReusedIndexAddress(Usize, Map, ExpressionList)  [function, functional]
-  rule noReusedIndexAddress(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
-  rule noReusedIndexAddress(U:Usize, M:Map, [E:Expression , Es:ExpressionCSV] #as L)
-      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
-          andBool noReusedIndexAddress(add(U, u(1)), (U |-> E) M, [Es])
-
-  syntax Bool ::= noReusedIndexRole(Usize, Map, ExpressionList)  [function, functional]
-  rule noReusedIndexRole(U:Usize, M:Map, [.]) => forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
-  rule noReusedIndexRole(U:Usize, M:Map, [_:Expression , Es:ExpressionCSV] #as L)
-      =>  forall-v-greater-or-equal-than-u-v-not-in-m(U, M, L)
-          andBool noReusedIndexRole(add(U, u(1)), (U |-> BoardMember) M, [Es])
-
-  syntax Bool ::= "forall-v-greater-or-equal-than-u-v-not-in-m" "(" Usize "," Map "," ExpressionList ")"   [function, functional]
-  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [.])
-      =>  notBool U in_keys(M)
-  rule forall-v-greater-or-equal-than-u-v-not-in-m(U, M, [_:Expression , Es:ExpressionCSV])
-      =>  notBool U in_keys(M)
-          andBool forall-v-greater-or-equal-than-u-v-not-in-m(add(U, u(1)), M, [Es])
-
-  syntax Usize ::= usizeWithDefault(KItem, Usize)  [function, functional]
-  rule usizeWithDefault(uninitialized, Default:Usize) => Default
-  rule usizeWithDefault(V:Usize, _:Usize) => V
-
-  syntax Int ::= usizeToInt(Usize)  [function, functional]
-  rule usizeToInt(u(V:Int)) => V
-
-  syntax Bool ::= listElementsAreAddresses(ExpressionList)  [function, functional]
-  rule listElementsAreAddresses([.]) => true
-  rule listElementsAreAddresses([E:Expression , Es:ExpressionCSV])
-      => isAddress(E) andBool listElementsAreAddresses([Es])
-
-  syntax Bool ::= listElementsAreUsize(KItem)  [function, functional]
-  rule listElementsAreUsize([.]) => true
-  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
-      => isUsize(E) andBool listElementsAreUsize([Es])
-  rule listElementsAreUsize(_:KItem) => false
-    [owise]
-  rule listElementsAreUsize([E:Expression, Es:ExpressionCSV])
-      => isUsize(E) andBool listElementsAreUsize([Es])
-    [simplification]
-
-  syntax Bool ::= valuesAreExpressionListOfUsize(Map)  [function, functional]
-  rule valuesAreExpressionListOfUsize(.Map) => true
-  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
-      =>  isExpressionList(V)
-          andBool listElementsAreUsize(V)
-          andBool valuesAreExpressionListOfUsize(M)
-  rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
-      =>  isExpressionList(V)
-          andBool listElementsAreUsize(V)
-          andBool valuesAreExpressionListOfUsize(M)
-    [simplification]
-
-  syntax Bool ::= valuesAreKResult(Map)  [function, functional]
-  rule valuesAreKResult(.Map) => true
-  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
-      => isKResult(V) andBool valuesAreKResult(M)
-  rule valuesAreKResult((_ |-> V M:Map) #as _:Map)
-      => isKResult(V) andBool valuesAreKResult(M)
-    [simplification]
-
-  syntax Bool ::= valuesAreOfType(Map, ReflectionType)  [function, functional]
-  rule valuesAreOfType(.Map, _:ReflectionType) => true
-  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
-      => valueOfType(V, T) andBool valuesAreOfType(M, T)
-  rule valuesAreOfType((_ |-> V M:Map) #as _:Map, T:ReflectionType)
-      => valueOfType(V, T) andBool valuesAreOfType(M, T)
-    [simplification]
-
-  syntax Bool ::= keysAreKResult(Map)  [function, functional]
-  rule keysAreKResult(.Map) => true
-  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
-      => isKResult(K) andBool keysAreKResult(M)
-  rule keysAreKResult((K:KItem |-> _:KItem M:Map) #as _:Map)
-      => isKResult(K) andBool keysAreKResult(M)
-    [simplification]
-
-  syntax Bool ::= keysAreOfType(Map, ReflectionType)  [function, functional]
-  rule keysAreOfType(.Map, _:ReflectionType) => true
-  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
-      => valueOfType(K, T) andBool keysAreOfType(M, T)
-  rule keysAreOfType((K:KItem |-> _:KItem M:Map) #as _:Map, T:ReflectionType)
-      => valueOfType(K, T) andBool keysAreOfType(M, T)
-    [simplification]
-
-  syntax Bool ::= valueIsNotEmpty(KItem, ReflectionType)  [function, functional]
-  rule valueIsNotEmpty(V:KItem, T:ReflectionType)
-      => notBool (V ==K defaultValue(T))
-
-  syntax Bool ::= valuesAreNotEmpty(Map, ReflectionType)  [function, functional]
-  rule valuesAreNotEmpty(.Map, _:ReflectionType) => true
-  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
-      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
-  rule valuesAreNotEmpty((_ |-> V M:Map) #as _:Map, T:ReflectionType)
-      => valuesAreNotEmpty(M, T) andBool valueIsNotEmpty(V, T)
-    [simplification]
-
-  syntax Bool ::= valuesAreDistinct(Map)  [function, functional]
-  rule valuesAreDistinct(.Map) => true
-  rule valuesAreDistinct((_:KItem |-> V:KItem M:Map) #as _:Map)
-      => valuesAreDistinct(M) andBool valueNotInMapValues(V, M)
-    [simplification]
-
-  syntax Bool ::= valueNotInMapValues(KItem, Map)  [function, functional]
-  rule valueNotInMapValues(_:KItem, .Map) => true
-  rule valueNotInMapValues(V1:KItem, (_:KItem |-> V2:KItem M:Map) #as _:Map)
-      => (notBool (V1 ==K V2)) andBool valueNotInMapValues(V1, M)
-    [simplification]
-  rule valueNotInMapValues(u(X:Int +Int 4), M:Map) => true
-    requires #noReusedIndexValue(X +Int 3, M, expanded)
-    [simplification]
-
-  syntax Bool ::= noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
-  syntax Bool ::= #noReusedIndexValue(Int, Map, PropertyHandling)  [function, functional]
-
-  rule noReusedIndexValue(_Index:Int, .Map, _:PropertyHandling) => true
-
-  rule noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
-      => Index >Int usizeToInt(V) andBool noReusedIndexValue(Index, M, Expand)
-    [simplification(20)]
-  rule noReusedIndexValue(Index:Int, M:Map, Handling:PropertyHandling)
-      => true
-        andBool valueNotInMapValues(u(Index), M)
-        andBool #noReusedIndexValue(Index, M, Handling)
-    [simplification(50)]
-
-  rule #noReusedIndexValue(_Index:Int, .Map, expanded) => true
-  rule #noReusedIndexValue(Index:Int, (_:KItem |-> V:Usize M:Map) #as _:Map, Expand:PropertyHandling)
-      => Index >Int usizeToInt(V) andBool #noReusedIndexValue(Index, M, Expand)
-    [simplification(20)]
-  rule #noReusedIndexValue(Index:Int, M:Map, expand(Expand:Expand))
-      =>  noReusedIndexValue(Index +Int 1, M, Expand)
-    [simplification(50)]
-
-  rule #noReusedIndexValue(X:Int, M:Map, usesExpanded)
-      => true
-    requires false
-      orBool #noReusedIndexValue(X, M, expanded)
-      orBool (true
-          andBool valueNotInMapValues(u(X), M)
-          andBool #noReusedIndexValue(X +Int 1, M, expanded)
-      )
-      orBool (true
-          andBool valueNotInMapValues(u(X), M)
-          andBool valueNotInMapValues(u(X +Int 1), M)
-          andBool #noReusedIndexValue(X +Int 2, M, expanded)
-      )
-    [simplification]
-
-  rule #noReusedIndexValue(X:Int +Int 4, M:Map, expanded)
-      => true
-    requires #noReusedIndexValue(X +Int 3, M, expanded)
-    [simplification]
-  rule #noReusedIndexValue(X:Int +Int 2, M:Map, expanded)
-      => true
-    requires true
-      andBool #noReusedIndexValue(X +Int 3, M, expanded)
-      andBool valueNotInMapValues(u(X +Int 2), M)
-    [simplification]
-
-  syntax Bool ::= allValuesBecomeKeys(Map, Map)  [function, functional]
-  syntax Bool ::= #allValuesBecomeKeys(Map, Map)  [function, functional]
-
-  rule allValuesBecomeKeys(M:Map, N:Map) => #allValuesBecomeKeys(M, keysMap(N))
-
-  rule #allValuesBecomeKeys(.Map, _:Map) => true
-  // TODO: This does not work if the key is in the map. Fix it and everything else.
-  rule #allValuesBecomeKeys((_ |-> V M:Map) #as _:Map, N:Map)
-      => V in_keys(N) andBool #allValuesBecomeKeys(M, N)
-    [simplification]
-  rule #allValuesBecomeKeys(M:Map, (_ |-> _ N:Map) #as _:Map) => true
-    requires #allValuesBecomeKeys(M, N)
-    [simplification]
-
-  syntax Bool ::= mapsAreReverse(Map, Map) [function, functional]
-  syntax Bool ::= mapsAreReverseHalf(Map, Map) [function, functional]
-
-  rule mapsAreReverse(M:Map, N:Map)
-      => mapsAreReverseHalf(M, N) andBool mapsAreReverseHalf(N, M)
-
-  rule mapsAreReverseHalf(.Map, _:Map) => true
-  rule mapsAreReverseHalf((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
-      => V in_keys(N) andBool N[V] ==K K andBool mapsAreReverseHalf(M, N)
-    [simplification]
-
-  syntax Bool ::= mapIncluded(Map, Map) [function, functional]
-
-  rule mapIncluded(.Map, _:Map) => true
-  rule mapIncluded((K:KItem |-> V:KItem M:Map) #as _:Map, N:Map)
-      => K in_keys(N) andBool N[K] ==K V andBool mapIncluded(M, N)
-    [simplification]
-  rule mapIncluded(M:Map, M:Map) => true
-    [simplification]
-  rule mapIncluded(M1:Map, _:KItem |-> _:KItem M2:Map) => true
-    requires M1 ==K M2
-    [simplification]
-  // Not sure why this does not work instead of the above:
-  rule mapIncluded(M:Map, _:KItem |-> _:KItem M:Map) => true
-    [simplification]
-
-  rule X:Int -Int X:Int => 0  [simplification]
-  // Int addition normalization
-  rule X:Int +Int (Y:Int +Int Z:Int) => (X +Int Y) +Int Z  [simplification]
-  // rule (X:Int +Int Y:Int) => (Y +Int X)  [simplification, concrete(X), symbolic(Y)]
-  rule (A:Int +Int I:Int) +Int B:Int => (A +Int B) +Int I [simplification, concrete(I), symbolic(A,B)]
-  //rule (X:Int +Int Y:Int) +Int Z:Int => X +Int (Y +Int Z) [simplification, concrete(Y), concrete(Z)]
-
-  syntax Bool ::= unusedIdsInMapKeys(lastIndex:Int, Map, expand:PropertyHandling)  [function, functional]
-
-  rule unusedIdsInMapKeys(_:Int, .Map, _:PropertyHandling) => true
-  rule unusedIdsInMapKeys(LastIndex:Int, (U:Usize |-> _:KItem M:Map) #as _:Map, Handling:PropertyHandling)
-    => unusedIdsInMapKeys(LastIndex, M, Handling)
-      andBool LastIndex >Int usizeToInt(U)
-    [simplification(30)]
-  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, expand(Expand:Expand))
-    => notBool u(LastIndex) in_keys(M)  // TODO: Maybe check before wrapping
-      andBool unusedIdsInMapKeys(LastIndex +Int 1, M, Expand)
-    [simplification]
-
-  rule unusedIdsInMapKeys(LastIndex:Int +Int 4, M:Map, expanded)
-    => true
-    requires unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
-    [simplification]
-  rule unusedIdsInMapKeys(LastIndex:Int +Int 2, M:Map, expanded)
-    => true
-    requires true
-      andBool notBool u(LastIndex +Int 2) in_keys(M)
-      andBool unusedIdsInMapKeys(LastIndex +Int 3, M, expanded)
-    [simplification]
-
-  rule unusedIdsInMapKeys(LastIndex:Int, M:Map, usesExpanded)
-    => true
-    requires false
-      orBool unusedIdsInMapKeys(LastIndex, M, expanded)
-      orBool (true
-        andBool notBool u(LastIndex) in_keys(M)
-        andBool unusedIdsInMapKeys(LastIndex +Int 1, M, expanded)
-      )
-      orBool (true
-        andBool notBool u(LastIndex) in_keys(M)
-        andBool notBool u(LastIndex +Int 1) in_keys(M)
-        andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
-      )
-    [simplification]
-
-  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, keysMap(M):Map, usesExpanded)
-    => true
-    requires true
-        andBool notBool u(LastIndex +Int 1) in_keys(M)
-        andBool unusedIdsInMapKeys(LastIndex +Int 2, keysMap(M), expanded)
-    [simplification]
-
-  /*
-  rule unusedIdsInMapKeys(LastIndex:Int +Int 1, M:Map, usesExpanded)
-    => true
-    requires notBool u(LastIndex +Int 1) in_keys(M)
-      andBool unusedIdsInMapKeys(LastIndex +Int 2, M, expanded)
-    [simplification]
-  */
-
-  syntax Bool ::= unusedIdsInMapValues(lastIndex:Int, Map, handling:PropertyHandling)  [function, functional]
-  rule unusedIdsInMapValues(_:Int, .Map, _:PropertyHandling) => true
-  rule unusedIdsInMapValues(
-          LastIndex:Int,
-          (_:KItem |-> Value:Usize M:Map) #as _:Map,
-          Handling:PropertyHandling
-      )
-      => unusedIdsInMapValues(LastIndex, M, Handling)
-      andBool LastIndex >Int usizeToInt(Value)
-    [simplification(10)]
-  rule unusedIdsInMapValues(LastIndex:Int, M:Map, expand(_:Expand))
-      => unusedIdsInMapValues(LastIndex, M, expanded)
-
-  rule unusedIdsInMapValues(LastIndex:Int +Int 3, M:Map, _:PropertyHandling)
-      => true
-    requires unusedIdsInMapValues(LastIndex +Int 2, M, expanded)
-    [simplification]
-
-  rule unusedIdsInMapValues(LastIndex:Int, M:Map, usesExpanded)
-      => true
-    requires false
-      orBool unusedIdsInMapValues(LastIndex -Int 1, M, expanded)
-      orBool unusedIdsInMapValues(LastIndex, M, expanded)
-    [simplification]
-
-  syntax Bool ::= noMapKeyInList(Map, ExpressionList)  [function, functional]
-  rule noMapKeyInList(.Map, _:ExpressionList) => true
-  // TODO: Do I need this?
-  rule noMapKeyInList(.Map, [.]) => true
-    [simplification]
-  rule noMapKeyInList(M:Map, [E:Expression, .]) => true
-    requires notBool E in_keys(M)
-    [simplification]
-  rule noMapKeyInList((K:KItem |-> _:KItem M:Map) #as _:Map, L:ExpressionList)
-    => true
-      andBool notBool #listContains(L, K)
-      andBool noMapKeyInList(M, L)
-    [simplification]
-  rule noMapKeyInList(M:Map, [#pushList(L:ExpressionCSV, E:Expression)])
-    => true
-    requires noMapKeyInList(M, [L])
-      andBool notBool E in_keys(M)
-    [simplification]
-
-  syntax Map ::= keysMap(Map)  [function, functional]
-  rule keysMap(.Map) => .Map
-  rule keysMap((K:KItem |-> _:KItem M:Map) #as _:Map) => K |-> 0 keysMap(M)
-    [simplification]
-  rule X:KItem in_keys(keysMap(M:Map)) => X in_keys(M)
-    [simplification]
-
-  rule #Ceil(@M:Map (@K:KItem |-> @V:KItem))
-      =>  {(@K in_keys(@M)) #Equals false}
-          #And #Ceil(@M)
-          #And #Ceil(@K)
-          #And #Ceil(@V)
-    [anywhere, simplification(20)]
-
-  syntax Int ::= countMapValues(Map, KItem)  [function, functional, smtlib(countMapValues)]
-  rule countMapValues(.Map, _) => 0
-  rule countMapValues(((_ |-> U) M:Map) #as _:Map, V:KItem) => countMapValues(M, V) +Int countValue(U, V)
-    [simplification]
-
-  syntax Int ::= countValue(KItem, KItem) [function, functional, smtlib(countMapValue)]
-  rule countValue(V:KItem, V:KItem) => 1
-  rule countValue(_:KItem, _:KItem) => 0 [owise]
-  //  requires notBool (V1 ==K V2)
-
-  rule 0 <=Int countValue(_:KItem, _:KItem) => true [simplification, smt-lemma]
-  rule countValue(_:KItem, _:KItem) >=Int 0 => true [simplification]
-  rule countValue(_:KItem, _:KItem) <=Int 1 => true [simplification, smt-lemma]
-
-  rule 0 <=Int countMapValues(_, _) => true  [simplification, smt-lemma]
-  rule countMapValues(_, _) >=Int 0 => true  [simplification]
-
-  rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
-
-  rule countMapValues(_, _) +Int X:Int <=Int 0 => false
-    requires X >Int 0
-    [simplification]
-  // TODO: Replace these with generic int rules.
-  rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int X:Int >=Int 0 => true
-    requires X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int X:Int >Int 0 => true
-    requires X >Int 0
-    [simplification]
-  rule countValue(_, _) +Int X:Int >=Int 0 => true
-    requires X >=Int 0
-    [simplification]
-  rule countValue(_, _) +Int X:Int >Int 0 => true
-    requires X >Int 0
-    [simplification]
-  /*
-  rule countMapValues(_, _) +Int 1 >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int 2 >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int 1 +Int countMapValues(_, _) >Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int countMapValues(_, _) +Int X:Int >Int 0
-      => true
-    requires X >Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int countValue(_, _) >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int countValue(_, _) +Int X:Int >=Int 0
-      => true
-    requires X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int countMapValues(_, _) +Int countValue(_, _) +Int 1 >Int 0
-      => true
-    [simplification]
-  */
-
-  // TODO: Proof for this.
-  syntax Bool ::= canSignFunction(UserRole)  [function, functional]
-  rule canSignFunction(Role:UserRole) => Role ==K BoardMember
-
-  syntax Int ::= countCanSignFunction(signerIDs:ExpressionList, userIdToRole:Map)  [function, functional, smtlib(countCanSignFunction)]
-  syntax Int ::= #countCanSignFunction(userID:Usize, signerIDs:ExpressionList, userIdToRole:Map, value:KItem)  [function, functional]
-  rule countCanSignFunction([.], _:Map) => 0
-  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], UserId |-> Role:UserRole M:Map)
-      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
-    requires canSignFunction(Role)
-  rule countCanSignFunction([_:Expression, Es:ExpressionCSV], M)
-      => countCanSignFunction([Es], M)
-    [owise]
-  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
-      => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
-    requires canSignFunction(Role)
-    [simplification]
-  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], UserId |-> Role:UserRole M:Map)
-      => countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
-    requires notBool canSignFunction(Role)
-    [simplification]
-  rule countCanSignFunction(Es:ExpressionList, UserId |-> _:UserRole M:Map)
-      => countCanSignFunction(Es, M)
-    requires notBool #listContains(Es, UserId)
-    [simplification]
-  rule countCanSignFunction(Es:ExpressionList, concat(UserId, _:UserRole, M:Map))
-      => countCanSignFunction(Es, M)
-    requires notBool #listContains(Es, UserId)
-    [simplification]
-
-  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], concat(UserId1:KItem, Role:UserRole, M:Map))
-    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
-    [simplification]
-  rule countCanSignFunction([#pushList(Es:ExpressionCSV, UserId:Usize)], concat(UserId1:KItem, Role:UserRole, M:Map))
-    => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
-    [simplification]
-  rule #countCanSignFunction(UserId:Usize, Es:ExpressionList, M:Map, Value:UserRole)
-      => 1 +Int countCanSignFunction(Es, M[UserId <- undef])
-    requires canSignFunction(Value)
-    [simplification]
-  rule #countCanSignFunction(_:Usize, Es:ExpressionList, M:Map, Value:UserRole)
-      => countCanSignFunction(Es, M)
-    requires notBool canSignFunction(Value)
-    [simplification]
-
-  rule 0 <=Int countCanSignFunction(_, _) => true  [simplification, smt-lemma]
-
-endmodule
-
 module CONCRETIZE-INSTRUMENTATION
   imports MAP
 
@@ -478,6 +21,25 @@ module CONCRETIZE-INSTRUMENTATION
 
   rule concretizeValue(_) => .K [priority(200)]
 
+  syntax KItem ::= concretizeExpressionList(ExpressionList, Int)
+  rule concretizeExpressionList([.:ExpressionCSV], X:Int) => .K
+    requires X >Int 0
+  rule concretizeExpressionList([_:Expression , L:ExpressionCSV], X:Int)
+      => concretizeExpressionList([L], X -Int 1)
+    requires X >Int 0
+  rule concretizeExpressionList([_:ExpressionCSV], X:Int)
+      => .K
+    requires X <=Int 0
+
+  syntax Expression ::= expressionListGetOrDefault(ExpressionList, Int, Expression)  [function]
+  rule expressionListGetOrDefault([.], _:Int, Default:Expression) => Default
+  rule expressionListGetOrDefault([_:ExpressionCSV], X:Int, Default:Expression) => Default
+    requires X <Int 0
+  rule expressionListGetOrDefault([E:Expression, _:ExpressionCSV], 0, _:Expression) => E
+  rule expressionListGetOrDefault([_:Expression, Es:ExpressionCSV], X:Int, Default:Expression)
+      => expressionListGetOrDefault([Es:ExpressionCSV], X -Int 1, Default)
+    requires X >Int 0
+
   syntax Singleton ::= "singleton"
 
   syntax IntVarList ::= vars(Int, IntVarList)
@@ -518,13 +80,20 @@ module CONCRETIZE-INSTRUMENTATION
   syntax KItem ::= lazyConcretizeValues(Map)
   rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
 
+  // TODO: Rename this.
   syntax KItem ::= makeConcreteValue(key:KItem, valueType:ReflectionType, Map)
   rule makeConcreteValue(Key:KItem, ValueType:ReflectionType, M:Map)
     =>    splitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
       ~>  cast(M[Key], ValueType)
       ~>  removeValue
-      ~> concretizeValue(M[Key])
+      ~>  concretizeValue(M[Key])
     requires Key in_keys(M)
+
+  syntax KItem ::= makeConcrete(value:KItem, valueType:ReflectionType)
+  rule makeConcrete(Value:KItem, ValueType:ReflectionType)
+    =>    cast(Value, ValueType)
+      ~>  removeValue
+      ~>  concretizeValue(Value)
 endmodule
 
 module PROOF-INSTRUMENTATION
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index d3cd77563..923e28440 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -1,7 +1,283 @@
-load(":proof.bzl", "kompile")
+load("//:proof.bzl", "kompile", "kprove", "ktrusted")
 
-print("BUILD file")
 kompile(
   name = "functions-execute",
-  srcs = ["functions-execute.k"]
+  srcs = ["functions-execute.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-files",
+      "//protocol-correctness:pseudocode-files",
+  ],
+)
+
+kprove(
+  name = "proof-change-user-role-BoardMember",
+  srcs = ["proof-change-user-role-BoardMember.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-change-user-role-New",
+  srcs = ["proof-change-user-role-New.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-change-user-role-None",
+  srcs = ["proof-change-user-role-None.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-change-user-role-Proposer",
+  srcs = ["proof-change-user-role-Proposer.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-count-can-sign",
+  srcs = ["proof-count-can-sign.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-has-signers",
+  srcs = ["proof-discard-action-has-signers.k"],
+  trusted = [":trusted-count-can-sign"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-role",
+  srcs = ["proof-discard-action-no-role.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-signers-no-action",
+  srcs = ["proof-discard-action-no-signers-no-action.k"],
+  trusted = [":trusted-count-can-sign"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-signers",
+  srcs = ["proof-discard-action-no-signers.k"],
+  trusted = [":trusted-count-can-sign"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-user",
+  srcs = ["proof-discard-action-no-user.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-valid-signers-no-action",
+  srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
+  trusted = [":trusted-count-can-sign"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-discard-action-no-valid-signers",
+  srcs = ["proof-discard-action-no-valid-signers.k"],
+  trusted = [":trusted-count-can-sign"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-action-BoardMember",
+  srcs = ["proof-propose-action-BoardMember.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-action-error-no-role",
+  srcs = ["proof-propose-action-error-no-role.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-action-error-no-user",
+  srcs = ["proof-propose-action-error-no-user.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-action-Proposer",
+  srcs = ["proof-propose-action-Proposer.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-sc-deploy-BoardMember",
+  srcs = ["proof-propose-sc-deploy-BoardMember.k"],
+  trusted = [
+      ":trusted-propose-action-BoardMember",
+      ":trusted-propose-sc-deploy-fragment",
+  ],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-sc-deploy-error-no-role",
+  srcs = ["proof-propose-sc-deploy-error-no-role.k"],
+  trusted = [
+      ":trusted-propose-action-error-no-role",
+      ":trusted-propose-sc-deploy-fragment",
+  ],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-sc-deploy-error-no-user",
+  srcs = ["proof-propose-sc-deploy-error-no-user.k"],
+  trusted = [
+      ":trusted-propose-action-error-no-user",
+      ":trusted-propose-sc-deploy-fragment",
+  ],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-sc-deploy-fragment",
+  srcs = ["proof-propose-sc-deploy-fragment.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-propose-sc-deploy-Proposer",
+  srcs = ["proof-propose-sc-deploy-Proposer.k"],
+  trusted = [
+      ":trusted-propose-action-Proposer",
+      ":trusted-propose-sc-deploy-fragment",
+  ],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-caller-none",
+  srcs = ["proof-sign-caller-none.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-caller-not-user",
+  srcs = ["proof-sign-caller-not-user.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-caller-proposer",
+  srcs = ["proof-sign-caller-proposer.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-empty-action",
+  srcs = ["proof-sign-empty-action.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-existing-signers-in-list",
+  srcs = ["proof-sign-existing-signers-in-list.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-existing-signers-not-in-list",
+  srcs = ["proof-sign-existing-signers-not-in-list.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-sign-no-signers",
+  srcs = ["proof-sign-no-signers.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-no-action",
+  srcs = ["proof-unsign-no-action.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-no-role",
+  srcs = ["proof-unsign-no-role.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-no-signers",
+  srcs = ["proof-unsign-no-signers.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-no-user",
+  srcs = ["proof-unsign-no-user.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-not-signed",
+  srcs = ["proof-unsign-not-signed.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-only-signer",
+  srcs = ["proof-unsign-only-signer.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-other-signers-first",
+  srcs = ["proof-unsign-other-signers-first.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-other-signers-not-first",
+  srcs = ["proof-unsign-other-signers-not-first.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-unsign-Proposer",
+  srcs = ["proof-unsign-Proposer.k"],
+  semantics = ":functions-execute",
+)
+
+ktrusted(
+  name = "trusted-count-can-sign",
+  srcs = ["proof-count-can-sign.k"],
+)
+
+ktrusted(
+  name = "trusted-propose-action-BoardMember",
+  srcs = ["proof-propose-action-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-propose-action-Proposer",
+  srcs = ["proof-propose-action-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-propose-action-error-no-role",
+  srcs = ["proof-propose-action-error-no-role.k"],
+)
+
+ktrusted(
+  name = "trusted-propose-action-error-no-user",
+  srcs = ["proof-propose-action-error-no-user.k"],
+)
+
+ktrusted(
+  name = "trusted-propose-sc-deploy-fragment",
+  srcs = ["proof-propose-sc-deploy-fragment.k"],
 )
diff --git a/multisig/protocol-correctness/proof/functions/functions-execute.k b/multisig/protocol-correctness/proof/functions/functions-execute.k
index 3970e0a9e..abe0eb1a4 100644
--- a/multisig/protocol-correctness/proof/functions/functions-execute.k
+++ b/multisig/protocol-correctness/proof/functions/functions-execute.k
@@ -1,4 +1,4 @@
-require "../execution-proof.k"
+require "protocol-correctness/proof/execution-proof.k"
 
 module FUNCTIONS-EXECUTE-SYNTAX
   imports EXECUTION-PROOF-SYNTAX
diff --git a/multisig/protocol-correctness/proof/functions/functions.mak b/multisig/protocol-correctness/proof/functions/functions.mak
index ef1f7ca77..02a33e0c6 100644
--- a/multisig/protocol-correctness/proof/functions/functions.mak
+++ b/multisig/protocol-correctness/proof/functions/functions.mak
@@ -53,7 +53,7 @@ $(FUNCTIONS_OUT_PREFIX)proof-%.debugger: ${FUNCTIONS_DIR}/proof-%.k $(FUNCTIONS_
 $(FUNCTIONS_OUT_PREFIX)execution.timestamp: $(FUNCTIONS_DIR)/functions-execute.k $(FUNCTIONS_EXECUTION)
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
-	@kompile $< --backend haskell --directory $(FUNCTIONS_DIR)
+	@kompile $(KOMPILE_FLAGS) $< --backend haskell --directory $(FUNCTIONS_DIR)
 	@touch $(FUNCTIONS_OUT_PREFIX)kompile.timestamp
 
 functions.clean:
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
index 514ae10f5..32b67b41f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
@@ -1,5 +1,5 @@
 //@ proof
-require "trusted-count-can-sign.k"
+require "trusted-count-can-sign.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
new file mode 100644
index 000000000..213cdf6d2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
+  imports FUNCTIONS-EXECUTE
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(discardAction(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+
+      andBool (Role ==K BoardMember orBool Role ==K Proposer)
+      andBool notBool ActionId in_keys(ActionSigners)
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
index 81cb29859..4c85853b6 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
@@ -1,5 +1,5 @@
 //@ proof
-require "trusted-count-can-sign.k"
+require "trusted-count-can-sign.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
@@ -61,8 +61,6 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS
     requires true
       andBool notBool u(0) in_keys(UserIdToRole)
 
-      andBool isKResult(SignerIds)
-      andBool listElementsAreUsize(SignerIds)
       andBool userIdToRoleInvariant(UserIdToRole)
 
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
new file mode 100644
index 000000000..a5354cbc7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
@@ -0,0 +1,79 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+//@ trusted
+//@ end
+
+//@ proof
+module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
+  imports FUNCTIONS-EXECUTE
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
+  // imports EXECUTION-PROOF
+//@ end
+
+  // TODO: I think that this is an invalid case that should be discarded
+  // by the main invariant.
+  claim <T><TT>
+          <k> call(discardAction(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionId |-> SignerIds ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex:Usize,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool isKResult(SignerIds)
+      andBool listElementsAreUsize(SignerIds)
+      andBool userIdToRoleInvariant(UserIdToRole)
+
+
+      andBool (Role ==K BoardMember orBool Role ==K Proposer)
+      andBool countCanSignFunction(SignerIds, opaque(UserIdToRole)) ==Int 0
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
index 2b70ff79a..fb458c4a7 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
@@ -1,5 +1,5 @@
 //@ proof
-require "trusted-count-can-sign.k"
+require "trusted-count-can-sign.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
index 80712b1bf..a24910eca 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
@@ -1,6 +1,6 @@
 //@ proof
-require "trusted-propose-action-BoardMember.k"
-require "trusted-propose-sc-deploy-fragment.k"
+require "trusted-propose-action-BoardMember.k"  //@ Bazel remove
+require "trusted-propose-sc-deploy-fragment.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
index 9c6401806..9c06e5a16 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
@@ -1,6 +1,6 @@
 //@ proof
-require "trusted-propose-action-Proposer.k"
-require "trusted-propose-sc-deploy-fragment.k"
+require "trusted-propose-action-Proposer.k"  //@ Bazel remove
+require "trusted-propose-sc-deploy-fragment.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
index e2c38cc32..8710903cb 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
@@ -1,6 +1,6 @@
 //@ proof
-require "trusted-propose-action-error-no-role.k"
-require "trusted-propose-sc-deploy-fragment.k"
+require "trusted-propose-action-error-no-role.k"  //@ Bazel remove
+require "trusted-propose-sc-deploy-fragment.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
index a537d5d14..d77c69a98 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
@@ -1,6 +1,6 @@
 //@ proof
-require "trusted-propose-action-error-no-user.k"
-require "trusted-propose-sc-deploy-fragment.k"
+require "trusted-propose-action-error-no-user.k"  //@ Bazel remove
+require "trusted-propose-sc-deploy-fragment.k"  //@ Bazel remove
 //@ trusted
 //@ end
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
new file mode 100644
index 000000000..665fbefc9
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
@@ -0,0 +1,63 @@
+//@ proof
+module PROOF-UNSIGN-PROPOSER
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-PROPOSER
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
new file mode 100644
index 000000000..4f70de7b0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
@@ -0,0 +1,62 @@
+//@ proof
+module PROOF-UNSIGN-NO-ACTION
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-NO-ACTION
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
new file mode 100644
index 000000000..0fe8e0308
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
@@ -0,0 +1,65 @@
+//@ proof
+module PROOF-UNSIGN-NO-ROLE
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-NO-ROLE
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
new file mode 100644
index 000000000..576483d08
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
@@ -0,0 +1,65 @@
+//@ proof
+module PROOF-UNSIGN-NO-SIGNERS
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-NO-SIGNERS
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+
+      andBool notBool ActionId in_keys(ActionSigners)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
new file mode 100644
index 000000000..450dbcbb2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
@@ -0,0 +1,66 @@
+//@ proof
+module PROOF-UNSIGN-NO-USER
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-NO-USER
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+      andBool notBool u(0) in_keys(UserIdToRole)
+
+      andBool notBool CallerAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
new file mode 100644
index 000000000..bc8e0e27c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
@@ -0,0 +1,66 @@
+//@ proof
+module PROOF-UNSIGN-NOT-SIGNED
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-NOT-SIGNED
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              (ActionId |-> Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+      andBool isKResult(Signers)
+
+      andBool #listFind(Signers, UserId) <Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
new file mode 100644
index 000000000..2981f1ec3
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
@@ -0,0 +1,63 @@
+//@ proof
+module PROOF-UNSIGN-ONLY-SIGNER
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-ONLY-SIGNER
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionId |-> [UserId, .] ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
new file mode 100644
index 000000000..184f847b4
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
@@ -0,0 +1,67 @@
+//@ proof
+module PROOF-UNSIGN-OTHER-SIGNERS-FIRST
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-OTHER-SIGNERS-FIRST
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionId |-> [(UserId, _:Usize, _Signers:ExpressionCSV) #as Signers:ExpressionCSV] ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionId |-> [#listSwapRemove(Signers, #listFind([Signers], UserId))] ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+      andBool isKResult(Signers)
+
+      andBool #listFind([Signers], UserId) >=Int 0
+      // andBool pListLen([Signers]) >=Int 2
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
new file mode 100644
index 000000000..3cf98804e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
@@ -0,0 +1,68 @@
+//@ proof
+module PROOF-UNSIGN-OTHER-SIGNERS-NOT-FIRST
+  imports FUNCTIONS-EXECUTE
+//@ trusted
+// module TRUSTED-UNSIGN-OTHER-SIGNERS-NOT-FIRST
+  // imports EXECUTION-PROOF
+//@ end
+
+  claim <T><TT>
+          <k> call(unsign(ActionId:Usize)) ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
+              Quorum:Usize,
+              u(ActionLastIndex:Int),
+              (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
+              ActionId |-> [(First:Usize, _Signers:ExpressionCSV) #as Signers:ExpressionCSV] ActionSigners:Map,
+              CallerAddress:Address,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              .Map
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> void ~> K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              u(ActionLastIndex),
+              ActionData,
+              ActionId |-> [#listSwapRemove(Signers, #listFind([Signers], UserId))] ActionSigners,
+              CallerAddress,
+              //@ proof
+              .List,  // TODO: Stack:List,
+              //@ trusted
+              // Stack:List,
+              //@ end
+              ?_Variables
+              ):StateCell
+        </TT></T>
+    requires true
+      andBool isKResult(Action)
+      andBool valueIsNotEmpty(Action, rAction)
+      andBool isKResult(Signers)
+
+      andBool #listFind([Signers], UserId) >=Int 0
+      andBool notBool First ==K UserId  // TODO: Combine with the above.
+      // andBool pListLen([Signers]) >=Int 2
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof.bzl b/multisig/protocol-correctness/proof/functions/proof.bzl
deleted file mode 100644
index bc09a1941..000000000
--- a/multisig/protocol-correctness/proof/functions/proof.bzl
+++ /dev/null
@@ -1,33 +0,0 @@
-def _kompile_impl(ctx):
-  output_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled')
-  if len(ctx.files.srcs) != 1:
-    fail
-  input_names = [s.path for s in ctx.files.srcs]
-  # TODO: Make this work if the file name is not based on the target name.
-  ctx.actions.run(
-      inputs=ctx.files.srcs,
-      outputs=[output_dir],
-      arguments=input_names,
-      progress_message="Kompiling %s." % ctx.files.srcs[0].path,
-      # tools=depset(["//kompile_tool"]),
-      executable=ctx.executable.kompile_tool)
-  print("here")
-  return [
-      DefaultInfo(
-          files = depset([ output_dir ]),
-      )
-  ]
-
-kompile = rule(
-    implementation = _kompile_impl,
-    attrs = {
-        "deps": attr.label_list(),
-        "srcs": attr.label_list(allow_files = [".k"]),
-        "kompile_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool"),
-        ),
-    },
-)
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 0de867c1e..e238fe1be 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -1,3 +1,5 @@
+require "protocol-correctness/proof/execution-proof-helpers.k"
+
 module INVARIANT-HELPERS
   imports EXECUTION-PROOF-HELPERS
 
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 76ef99d64..9c47cb237 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -310,6 +310,172 @@ module SIGN-INSTRUMENTATION
       andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
 endmodule
 
+module UNSIGN-INSTRUMENTATION
+  imports INVARIANT-INSTRUMENTATION
+
+  syntax KItem ::= splitUnsign(actionId:Usize)
+  syntax KItem ::= splitUnsign2(actionId:Usize)
+  syntax KItem ::= splitUnsign3(actionId:Usize)
+  syntax KItem ::= splitUnsign4(actionId:Usize)
+  syntax KItem ::= splitUnsign5(signers:ExpressionList, userId:Usize)
+
+  rule  preCall
+        ~> (.K => splitUnsign(ActionId))
+        ~> call(unsign(ActionId:Usize))
+  [priority(20)]
+
+  rule  <k> splitUnsign(ActionId:Usize)
+            =>  branchK(
+                    ActionId in_keys(ActionData),
+                    makeConcreteValue(ActionId, rAction, ActionData)
+                        ~>  branchK(
+                              CallerAddress in_keys(AddressToUserId),
+                              splitUnsign2(ActionId),
+                              .K
+                            ),
+                    .K
+                )
+        ... </k>
+        <action-data>ActionData:Map</action-data>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <caller-address>CallerAddress:KItem</caller-address>
+
+  rule  <k> splitUnsign2(ActionId:Usize)
+            =>    makeConcreteValue(CallerAddress, rUsize, AddressToUserId)
+              ~>  branchK(
+                      AddressToUserId[CallerAddress] in_keys(UserIdToRole),
+                      splitUnsign3(ActionId),
+                      .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <caller-address>CallerAddress:KItem</caller-address>
+    requires CallerAddress in_keys(AddressToUserId)
+
+  rule  <k> splitUnsign3(ActionId:Usize)
+            =>    makeConcreteValue(AddressToUserId[CallerAddress], rUserRole, UserIdToRole)
+              ~>  branchK(
+                      UserIdToRole[AddressToUserId[CallerAddress]] ==K BoardMember,
+                      branchK(
+                          ActionId in_keys(ActionSigners),
+                          makeConcreteValue(ActionId, rExpressionList, ActionSigners)
+                            ~>  splitUnsign4(ActionId),
+                          .K
+                      ),
+                      .K
+                  )
+        ... </k>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <caller-address>CallerAddress:KItem</caller-address>
+        <action-signers>ActionSigners:Map</action-signers>
+    requires true
+        andBool CallerAddress in_keys(AddressToUserId)
+        andBool AddressToUserId[CallerAddress] in_keys(UserIdToRole)
+
+  rule  <k> splitUnsign4(ActionId:Usize)
+            =>  splitUnsign5(
+                    {ActionSigners[ActionId]}:>ExpressionList,
+                    {AddressToUserId[CallerAddress]}:>Usize
+                )
+        ...</k>
+        <action-signers>ActionSigners:Map</action-signers>
+        <address-to-user-id> AddressToUserId:Map </address-to-user-id>
+        <caller-address>CallerAddress:KItem</caller-address>
+    requires true
+        andBool ActionId in_keys(ActionSigners)
+        andBool isExpressionList(ActionSigners[ActionId])
+        andBool CallerAddress in_keys(AddressToUserId)
+        andBool isUsize(AddressToUserId[CallerAddress])
+
+  rule  splitUnsign5(Signers:ExpressionList, UserId:Usize)
+        =>  branchK(
+                #listFind(Signers, UserId) >=Int 0,
+                concretizeExpressionList(Signers, 2)
+                ~>  branchK(
+                        pListLen(Signers) >=Int 1,
+                        makeConcrete(expressionListGetOrDefault(Signers, 0, void), rUsize)
+                          ~>  branchK(
+                                  pListLen(Signers) ==Int 1,
+                                  branchK(
+                                      expressionListGetOrDefault(Signers, 0, void) ==K UserId,
+                                      .K,
+                                      .K
+                                  ),
+                                  branchK(
+                                      pListLen(Signers) >=Int 2,
+                                      makeConcrete(expressionListGetOrDefault(Signers, 1, void), rUsize)
+                                        ~>  branchK(
+                                                expressionListGetOrDefault(Signers, 0, void) ==K UserId,
+                                                .K,
+                                                branchK(
+                                                    expressionListGetOrDefault(Signers, 1, void) ==K UserId,
+                                                    .K,
+                                                    .K
+                                                )
+                                            ),
+                                      stuck
+                                  )
+                              ),
+                        stuck
+                    ),
+                // branchK(
+                //     ActionSigners[ActionId] ==K [?UserId1:Expression, .],
+                //     makeConcrete(?UserId1, rUsize)
+                //       ~>  branchK(
+                //               ?UserId1 ==K AddressToUserId[CallerAddress],
+                //               .K,
+                //               .K
+                //           ),
+                //     branchK(
+                //         ActionSigners[ActionId] ==K [?UserId2:Expression, ?UserId3:Expression, ?_:ExpressionCSV],
+                //         makeConcrete(?UserId2, rUsize)
+                //           ~>  makeConcrete(?UserId3, rUsize)
+                //           ~>  branchK(
+                //                   ?UserId2 ==K AddressToUserId[CallerAddress],
+                //                   .K,
+                //                   .K
+                //               ),
+                //         .K
+                //     )
+                // ),
+                .K
+            )
+    requires true
+
+  // rule  splitUnsign6(ActionId:Usize, Signers:ExpressionList, UserId:Usize)
+  //       =>  branchK(
+  //               #listFind(Signers, UserId) >=Int 0,
+  //               concretizeExpressionList(Signers, 2)
+  //               ~>  branchK(
+  //                       pListLen(Signers) >=Int 1,
+  //                       makeConcrete(expressionListGetOrDefault(Signers, 0, void), rUsize)
+  //                         ~>  branchK(
+  //                                 pListLen(Signers) ==Int 1,
+  //                                 branchK(
+  //                                     expressionListGetOrDefault(Signers, 0, void) ==K UserId,
+  //                                     .K,
+  //                                     .K
+  //                                 ),
+  //                                 branchK(
+  //                                     pListLen(Signers) >=Int 2,
+  //                                     makeConcrete(expressionListGetOrDefault(Signers, 1, void), rUsize)
+  //                                       ~>  branchK(
+  //                                               expressionListGetOrDefault(Signers, 1, void) ==K UserId,
+  //                                               .K,
+  //                                               .K
+  //                                           ),
+  //                                     stuck
+  //                                 )
+  //                             ),
+  //                       stuck
+  //                   ),
+  //               .K
+  //           )
+  //   requires true
+endmodule
+
 module DISCARD-ACTION-INSTRUMENTATION
   imports INVARIANT-INSTRUMENTATION
   imports PROOF-INSTRUMENTATION
@@ -355,13 +521,18 @@ module DISCARD-ACTION-INSTRUMENTATION
               ~>  branchK(
                     ActionId in_keys(ActionSigners),
                     splitDiscardAction3(ActionId),
-                    splitDiscardAction4(ActionId)
+                    branchK(
+                      ActionId in_keys(ActionData),
+                      makeConcreteValue(ActionId, rAction, ActionData),
+                      .K
+                    )
                   )
         ...</k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
         <user-roles> UserIdToRole:Map </user-roles>
         <caller-address>Caller:KItem</caller-address>
         <action-signers>ActionSigners:Map</action-signers>
+        <action-data>ActionData</action-data>
     requires Caller in_keys(AddressToUserId)
 
   rule  <k> splitDiscardAction3(ActionId:Usize)
@@ -403,6 +574,7 @@ module INVARIANT-EXECUTION
   imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports PROPOSE-SC-DEPLOY-INSTRUMENTATION
   imports DISCARD-ACTION-INSTRUMENTATION
+  imports UNSIGN-INSTRUMENTATION
 
   imports COUNT-CAN-SIGN-PARTS
   imports INIT-LOOP-PARTS
diff --git a/multisig/protocol-correctness/proof/invariant/invariant.mak b/multisig/protocol-correctness/proof/invariant/invariant.mak
index b3506a114..fe5a2097f 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant.mak
+++ b/multisig/protocol-correctness/proof/invariant/invariant.mak
@@ -31,7 +31,7 @@ $(INVARIANT_OUT_PREFIX)proof-%.debugger: $(INVARIANT_OUT_PREFIX)proof-%.k $(INVA
 $(INVARIANT_OUT_PREFIX)execution.timestamp: $(INVARIANT_DIR)/invariant-execution.k ${INVARIANT_EXECUTION}
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
-	@kompile $< --backend haskell --directory $(INVARIANT_DIR)
+	@kompile $(KOMPILE_FLAGS) $< --backend haskell --directory $(INVARIANT_DIR)
 	@touch $(INVARIANT_OUT_PREFIX)execution.timestamp
 
 invariant.clean:
diff --git a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
index d09b3ba4f..78c07e0a6 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
@@ -1,8 +1,10 @@
 require "../functions/trusted-discard-action-has-signers.k"
 require "../functions/trusted-discard-action-no-role.k"
 require "../functions/trusted-discard-action-no-signers.k"
+require "../functions/trusted-discard-action-no-signers-no-action.k"
 require "../functions/trusted-discard-action-no-user.k"
 require "../functions/trusted-discard-action-no-valid-signers.k"
+require "../functions/trusted-discard-action-no-valid-signers-no-action.k"
 
 module PROOF-DISCARD-ACTION
   imports INVARIANT-EXECUTION
@@ -11,8 +13,10 @@ module PROOF-DISCARD-ACTION
   imports TRUSTED-DISCARD-ACTION-HAS-SIGNERS
   imports TRUSTED-DISCARD-ACTION-NO-ROLE
   imports TRUSTED-DISCARD-ACTION-NO-SIGNERS
+  imports TRUSTED-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
   imports TRUSTED-DISCARD-ACTION-NO-USER
   imports TRUSTED-DISCARD-ACTION-NO-VALID-SIGNERS
+  imports TRUSTED-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
 
   claim <T><TT>
           <k> runExternalCalls(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-unsign.k b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
index 394a7c442..4fb78a2c2 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-unsign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
@@ -1,10 +1,30 @@
+require "../functions/trusted-unsign-no-action.k"
+require "../functions/trusted-unsign-only-signer.k"
+require "../functions/trusted-unsign-other-signers-not-first.k"
+require "../functions/trusted-unsign-other-signers-first.k"
+require "../functions/trusted-unsign-not-signed.k"
+require "../functions/trusted-unsign-no-signers.k"
+require "../functions/trusted-unsign-Proposer.k"
+require "../functions/trusted-unsign-no-role.k"
+require "../functions/trusted-unsign-no-user.k"
+
 module PROOF-UNSIGN
   imports INVARIANT-EXECUTION
   imports PSEUDOCODE
 
+  imports TRUSTED-UNSIGN-NO-ACTION
+  imports TRUSTED-UNSIGN-ONLY-SIGNER
+  imports TRUSTED-UNSIGN-OTHER-SIGNERS-NOT-FIRST
+  imports TRUSTED-UNSIGN-OTHER-SIGNERS-FIRST
+  imports TRUSTED-UNSIGN-NOT-SIGNED
+  imports TRUSTED-UNSIGN-NO-SIGNERS
+  imports TRUSTED-UNSIGN-PROPOSER
+  imports TRUSTED-UNSIGN-NO-ROLE
+  imports TRUSTED-UNSIGN-NO-USER
+
   claim <T><TT>
           <k> runExternalCalls(
-                  (   from _:Address run unsign(ActionId:Usize);
+                  (   from _:Address run unsign(_ActionId:Usize);
                       EC:ExternalCommands
                   )
               )
diff --git a/multisig/protocol-correctness/proof/map/BUILD b/multisig/protocol-correctness/proof/map/BUILD
new file mode 100644
index 000000000..89a3f385c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/map/BUILD
@@ -0,0 +1,8 @@
+load("//:proof.bzl", "klibrary")
+
+klibrary(
+  name = "map-files",
+  srcs = ["map-execute.k"],
+  deps = [],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/protocol-correctness/proof/map/map.mak b/multisig/protocol-correctness/proof/map/map.mak
index e47934d3b..4bf050f66 100644
--- a/multisig/protocol-correctness/proof/map/map.mak
+++ b/multisig/protocol-correctness/proof/map/map.mak
@@ -31,7 +31,7 @@ $(MAP_OUT_PREFIX)proof-%.debugger: ${MAP_DIR}/proof-%.k $(MAP_OUT_PREFIX)executi
 $(MAP_OUT_PREFIX)execution.timestamp: $(MAP_DIR)/map-execute.k $(MAP_EXECUTION)
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
-	@kompile $< --backend haskell --directory $(MAP_DIR)
+	@kompile $(KOMPILE_FLAGS) $< --backend haskell --directory $(MAP_DIR)
 	@touch $(MAP_OUT_PREFIX)execution.timestamp
 
 map.clean:
diff --git a/multisig/protocol-correctness/proof/properties/properties.mak b/multisig/protocol-correctness/proof/properties/properties.mak
index f447af5ce..8844866f9 100644
--- a/multisig/protocol-correctness/proof/properties/properties.mak
+++ b/multisig/protocol-correctness/proof/properties/properties.mak
@@ -31,7 +31,7 @@ $(PROPERTIES_OUT_PREFIX)proof-%.debugger: ${PROPERTIES_DIR}/proof-%.k $(PROPERTI
 $(PROPERTIES_OUT_PREFIX)execution.timestamp: $(PROPERTIES_DIR)/properties-execute.k $(PROPERTIES_EXECUTION)
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
-	@kompile $< --backend haskell --directory $(PROPERTIES_DIR)
+	@kompile $(KOMPILE_FLAGS) $< --backend haskell --directory $(PROPERTIES_DIR)
 	@touch $(PROPERTIES_OUT_PREFIX)execution.timestamp
 
 properties.clean:
diff --git a/multisig/protocol-correctness/proof/settings.mak b/multisig/protocol-correctness/proof/settings.mak
index 85d65e2b2..6de6f30ac 100644
--- a/multisig/protocol-correctness/proof/settings.mak
+++ b/multisig/protocol-correctness/proof/settings.mak
@@ -1,5 +1,7 @@
 SHELL?=/bin/bash -euo pipefail
 
+KOMPILE_FLAGS=-I $(shell git rev-parse --show-toplevel)/multisig
+
 BACKEND_COMMAND ?= "kore-exec --smt-timeout 4000"
 DEBUG_COMMAND ?= "kore-repl --smt-timeout 4000 --repl-script /home/virgil/runtime-verification/k/haskell-backend/src/main/native/haskell-backend/kore/data/kast.kscript"
 DIR_GUARD ?= @mkdir -p $(@D)
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index deaae52e9..a9df25646 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -814,43 +814,33 @@ module PSEUDOCODE-FUNCTIONS
   rule  #listContains([_:Expression, Es:ExpressionCSV], X:KItem)
           => #listContains([Es], X)  [owise]
 
-  rule call(listFind(Es:ExpressionList, E:Expression)) => #listFind(Es, E)
+  rule call(listFind(Es:ExpressionList, E:Expression)) => u(#listFind(Es, E))
 
-  syntax Usize ::= #listFind(ExpressionList, Expression)  [function, functional]
+  syntax Int ::= #listFind(ExpressionList, Expression)  [function, functional]
 
-  rule  #listFind([.], _) => u(-1)
-  rule  #listFind([X:Usize, _:ExpressionCSV], X) => u(0)
-  rule  #listFind([_:Usize, Es:ExpressionCSV], X:Usize) => add(#listFind([Es], X), u(1))  [owise]
-
-  /*
-  rule  call(listSwapRemove([_:Expression , L:ExpressionCSV], u(0))) => lastToStart(., L)
-  rule  call(listSwapRemove([E:Expression , L:ExpressionCSV], u(Index:Int)))
-        => call(listSwapRemove([L], u(Index -Int 1))) ~> pushListFreezer(E)
-    requires Index >Int 0
-
-  syntax KItem ::= pushListFreezer(Expression)
-  rule  [L:ExpressionCSV] ~> pushListFreezer(E:Expression) => [E , L]
-
-  syntax KItem ::= lastToStart(ExpressionCSV, ExpressionCSV)
-  syntax KItem ::= reverseExpressionCsv(ExpressionCSV, ExpressionCSV)
-
-  rule lastToStart(., .) => [.]
-  rule lastToStart(L1:ExpressionCSV, (E:Expression , L2:ExpressionCSV))
-        => lastToStart((E , L1), L2)
-  rule lastToStart(L1:ExpressionCSV, (E:Expression, .))
-        => reverseExpressionCsv(L1, .) ~> pushListFreezer(E)
+  rule  #listFind([.], _:Expression) => -1
+  rule  #listFind([X:Usize, _:ExpressionCSV], X) => 0
+  rule  #listFind([_:Usize, Es:ExpressionCSV], X:Usize) => addOneIfNotNegative(#listFind([Es], X))
+    [owise]
+  
+  syntax Int ::= addOneIfNotNegative(Int)  [function, functional]
+  rule addOneIfNotNegative(X:Int) => X +Int 1
+    requires X >=Int 0
+  rule addOneIfNotNegative(X) => X
+    requires X <Int 0
 
-  rule reverseExpressionCsv(., L2:ExpressionCSV) => L2
-  rule reverseExpressionCsv((E:Expression , Es:ExpressionCSV), L2:ExpressionCSV) => reverseExpressionCsv(Es, (E , L2))
-  */
+  syntax Int ::= pListLen(ExpressionList)  [function, functional, smtlib(pListLen)]
+  rule pListLen([.]) => 0
+  rule pListLen([_:Expression, Es:ExpressionCSV]) => 1 +Int pListLen([Es])
 
   rule  call(listSwapRemove([L:ExpressionCSV], u(I:Int)))
         => [#listSwapRemove(L, I)]
-        // TODO: require I >= 0
+    // TODO: Do things work with this requires?
+    requires I >=Int 0
 
   syntax ExpressionCSV ::= #listSwapRemove(ExpressionCSV, Int)  [function, functional]
   rule  #listSwapRemove(_:Expression , Es:ExpressionCSV, 0)
-        => lastToStart(., Es)
+        => lastToStart(Es)
   rule  #listSwapRemove(E:Expression , Es:ExpressionCSV, I:Int)
         => E , #listSwapRemove(Es, I -Int 1)
     requires I >Int 0
@@ -858,12 +848,35 @@ module PSEUDOCODE-FUNCTIONS
         => Es
     requires I <Int 0
 
-  syntax ExpressionCSV ::= lastToStart(ExpressionCSV, ExpressionCSV)  [function, functional]
-  rule lastToStart(., .) => .:ExpressionCSV
-  rule lastToStart(L1:ExpressionCSV, (E:Expression, .))
-        => E , reverseExpressionCsv(L1, .)
-  rule lastToStart(L1:ExpressionCSV, (E:Expression , L2:ExpressionCSV))
-        => lastToStart((E , L1), L2)
+  syntax ExpressionCSV ::= lastToStart(ExpressionCSV)  [function, functional]
+  rule lastToStart(.) => .:ExpressionCSV
+  rule lastToStart(Es:ExpressionCSV) => last(Es), removeLast(Es)
+    requires pListLen([Es]) >Int 0
+
+  syntax Expression ::= last(ExpressionCSV)  [function]
+  rule last(E:Expression, .) => E
+  rule last(_:Expression, Es:ExpressionCSV) => last(Es)
+    requires pListLen([Es]) >Int 0
+
+  rule #Ceil(last(@Es:ExpressionCSV))
+      =>  {pListLen([@Es]) >Int 0 #Equals true}
+          #And #Ceil(@Es)
+    [anywhere, simplification]
+
+  syntax ExpressionCSV ::= removeLast(ExpressionCSV)  [function]
+  rule removeLast(_:Expression, .) => .:ExpressionCSV
+  rule removeLast(E:Expression, Es:ExpressionCSV) => E, removeLast(Es)
+    requires pListLen([Es]) >Int 0
+
+  rule #Ceil(removeLast(@Es:ExpressionCSV))
+      =>  {pListLen([@Es]) >Int 0 #Equals true}
+          #And #Ceil(@Es)
+    [anywhere, simplification]
+
+  // rule lastToStart(L1:ExpressionCSV, (E:Expression, .))
+  //       => E , reverseExpressionCsv(L1, .)
+  // rule lastToStart(L1:ExpressionCSV, (E:Expression , L2:ExpressionCSV))
+  //       => lastToStart((E , L1), L2)
 
   syntax ExpressionCSV ::= reverseExpressionCsv(ExpressionCSV, ExpressionCSV)  [function, functional]
   rule reverseExpressionCsv(., L2:ExpressionCSV) => L2

From b87588f5e4e4a6348bbe0fb77aeaa704ce29df15 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Sat, 3 Apr 2021 00:39:12 +0300
Subject: [PATCH 19/37] Add performed actions logging

---
 .../proof/execution-proof.k                   |  10 +
 .../proof-change-user-role-BoardMember.k      |   6 +-
 .../functions/proof-change-user-role-New.k    |   6 +-
 .../functions/proof-change-user-role-None.k   |   6 +-
 .../proof-change-user-role-Proposer.k         |   6 +-
 .../proof-propose-action-BoardMember.k        |   6 +-
 .../functions/proof-propose-action-Proposer.k |   6 +-
 .../proof/functions/proof-sign-caller-none.k  |   6 +-
 .../functions/proof-sign-caller-not-user.k    |   6 +-
 .../functions/proof-sign-caller-proposer.k    |   6 +-
 .../proof/functions/proof-sign-empty-action.k |   6 +-
 .../proof-sign-existing-signers-in-list.k     |   6 +-
 .../proof-sign-existing-signers-not-in-list.k |   6 +-
 .../proof/functions/proof-sign-no-signers.k   |   6 +-
 .../protocol-correctness/proof/invariant.k    |  27 +-
 .../proof/invariant/count-can-sign-parts.k    |  18 +-
 .../proof/invariant/init-loop-parts.k         |   6 +
 .../proof/invariant/invariant-execution.k     |  38 +-
 .../proof/invariant/perform-parts.k           |  18 +-
 .../proof/invariant/proof-count-can-sign.k    |   6 +-
 .../proof/invariant/proof-discard-action.k    |   6 +-
 .../proof/invariant/proof-init.k              |   6 +-
 .../invariant/proof-perform-action-endpoint.k |  12 +-
 .../proof/invariant/proof-perform-action.k    | 337 +++++-------------
 .../proof-perform-add-board-member.k          |  12 +-
 .../invariant/proof-perform-add-proposer-1.k  |  12 +-
 .../invariant/proof-perform-add-proposer-3.k  |  12 +-
 .../invariant/proof-perform-add-proposer-5.k  |  12 +-
 .../invariant/proof-perform-add-proposer-7.k  |  12 +-
 .../invariant/proof-perform-add-proposer-8.k  |  12 +-
 .../invariant/proof-perform-add-proposer-9.k  |  12 +-
 .../invariant/proof-perform-change-quorum.k   |  24 +-
 .../proof/invariant/proof-perform-nothing.k   |  12 +-
 .../invariant/proof-perform-remove-user-1.k   |  12 +-
 .../invariant/proof-perform-remove-user-10.k  |  12 +-
 .../invariant/proof-perform-remove-user-3.k   |  12 +-
 .../invariant/proof-perform-remove-user-5.k   |  12 +-
 .../invariant/proof-perform-remove-user-7.k   |  12 +-
 .../invariant/proof-perform-remove-user-9.k   |  12 +-
 .../proof/invariant/proof-perform-s-c-call.k  |  12 +-
 .../invariant/proof-perform-s-c-deploy.k      |  12 +-
 .../proof/invariant/proof-perform-send-egld.k |  12 +-
 .../proof-propose-add-board-member.k          |   6 +-
 .../invariant/proof-propose-add-proposer.k    |   6 +-
 .../invariant/proof-propose-change-quorum.k   |   6 +-
 .../invariant/proof-propose-remove-user.k     |   6 +-
 .../proof/invariant/proof-propose-sc-call.k   |   6 +-
 .../proof/invariant/proof-propose-sc-deploy.k |   6 +-
 .../proof/invariant/proof-propose-send-egld.k |   6 +-
 .../proof/invariant/proof-sign.k              |   6 +-
 .../proof/invariant/proof-unsign.k            |   6 +-
 .../proof-board-members-sign-for-2.k          |  12 +-
 .../proof-board-members-sign-for-3.k          |  12 +-
 .../properties/proof-board-members-sign-for.k |  12 +-
 .../proof-can-propose-and-execute.k           |   6 +-
 multisig/protocol-correctness/pseudocode.k    |  44 ++-
 56 files changed, 490 insertions(+), 440 deletions(-)

diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index a54bdd710..cbc3a8efc 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -12,9 +12,19 @@ module CONCRETIZE-INSTRUMENTATION
   imports PSEUDOCODE
 
   syntax KItem ::= concretizeValue(KItem)
+
   rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
+
   rule concretizeValue(u(V:Int)) => concretizeValue(V)
+
   rule concretizeValue(address(V:Int)) => concretizeValue(V)
+
+  rule concretizeValue(big(V:Int)) => concretizeValue(V)
+
+  rule concretizeValue(meta(V:Int)) => concretizeValue(V)
+
+  rule concretizeValue(bytes(V:String)) => concretizeValue(V)
+
   rule concretizeValue(BoardMember) => .K
   rule concretizeValue(Proposer) => .K
   rule concretizeValue(None) => .K
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
index af236efde..c1a7156fb 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
@@ -25,7 +25,8 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
index ed9dd5271..21f12ba04 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
@@ -25,7 +25,8 @@ module PROOF-CHANGE-USER-ROLE-NEW
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-CHANGE-USER-ROLE-NEW
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
index 2b7f31e0a..64bed582f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
@@ -25,7 +25,8 @@ module PROOF-CHANGE-USER-ROLE-NONE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-CHANGE-USER-ROLE-NONE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
index 1afa89bf3..c8875fc84 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
@@ -25,7 +25,8 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
index 624a353ef..9268998d9 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
@@ -25,7 +25,8 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
index 4199923e0..60e02ca45 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
@@ -25,7 +25,8 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
index 913a41322..373ead98e 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-CALLER-NONE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-CALLER-NONE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
index f6bad293d..13b3c0e78 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-CALLER-NOT-USER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-CALLER-NOT-USER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
index 599d46bb4..4fe1ef53c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-CALLER-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-CALLER-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
index 45e6204a4..436929cad 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-EMPTY-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-EMPTY-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
index 37f472042..e333b906d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
index 4b08680d8..23518bdd4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
index 01f677f8e..3540cf3f6 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
@@ -25,7 +25,8 @@ module PROOF-SIGN-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-SIGN-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index e238fe1be..87bff3332 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -75,7 +75,8 @@ module INVARIANT
       quorum:Usize,
       actionLastIndex:Usize,
       actionData:Map,
-      actionSigners:Map)  [function, functional]
+      actionSigners:Map,
+      performedActions:List)  [function, functional]
 
   syntax MultisigStateCell ::= invariantMultisigState(
       numUsers:Usize,
@@ -101,7 +102,8 @@ module INVARIANT
       actionData:Map,
       actionSigners:Map,
       callerAddress:KItem,
-      stack:List)  [function, functional]
+      stack:List,
+      performedActions:List)  [function, functional]
 
   syntax StateCell ::= invariantStateFull(
       numUsers:Usize,
@@ -116,7 +118,8 @@ module INVARIANT
       actionSigners:Map,
       callerAddress:KItem,
       stack:List,
-      variables:Map)  [function, functional]
+      variables:Map,
+      performedActions:List)  [function, functional]
 
   rule invariantState(
       NumUsers:Usize,
@@ -128,7 +131,8 @@ module INVARIANT
       Quorum:Usize,
       ActionLastIndex:Usize,
       ActionData:Map,
-      ActionSigners:Map)
+      ActionSigners:Map,
+      PerformedActions:List)
     =>
       invariantStateStack(
           NumUsers,
@@ -142,7 +146,8 @@ module INVARIANT
           ActionData,
           ActionSigners,
           uninitialized,
-          .List)
+          .List,
+          PerformedActions)
 
   rule invariantStateStack(
       NumUsers:Usize,
@@ -156,7 +161,8 @@ module INVARIANT
       ActionData:Map,
       ActionSigners:Map,
       CallerAddress:KItem,
-      Stack:List)
+      Stack:List,
+      PerformedActions:List)
     => invariantStateFull(
           NumUsers,
           UserIdToAddress,
@@ -170,7 +176,8 @@ module INVARIANT
           ActionSigners,
           CallerAddress,
           Stack,
-          .Map)
+          .Map,
+          PerformedActions)
 
   rule invariantStateFull(
       NumUsers:Usize,
@@ -185,7 +192,8 @@ module INVARIANT
       ActionSigners:Map,
       CallerAddress:KItem,
       Stack:List,
-      Variables:Map)
+      Variables:Map,
+      PerformedActions:List)
     =>
       <state>
         invariantMultisigState(
@@ -206,6 +214,9 @@ module INVARIANT
         <external-call-env>
           <caller-address>CallerAddress</caller-address>
         </external-call-env>
+        <log>
+          <performed-actions>PerformedActions</performed-actions>
+        </log>
       </state>
 
   rule invariantMultisigState(
diff --git a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
index 205c41f08..1e817edad 100644
--- a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
@@ -14,7 +14,8 @@ module COUNT-CAN-SIGN-PARTS
             ActionStateCell,
             variables:Map,
             stack:List,
-            ExternalCallEnvCell)
+            ExternalCallEnvCell,
+            performedActions:List)
       [function, functional]
 
   rule countCanSignLhs(
@@ -28,7 +29,8 @@ module COUNT-CAN-SIGN-PARTS
             ActionState:ActionStateCell,
             Variables:Map,
             Stack:List,
-            ExternalCallEnv:ExternalCallEnvCell)
+            ExternalCallEnv:ExternalCallEnvCell,
+            PerformedActions:List)
       => <TT>
           <k>
             call(countCanSign(SignerIds))
@@ -50,6 +52,9 @@ module COUNT-CAN-SIGN-PARTS
               <stack>Stack</stack>
             </pseudocode-state>
             ExternalCallEnv
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
         </TT>
 
@@ -64,7 +69,8 @@ module COUNT-CAN-SIGN-PARTS
             ActionStateCell,
             variables:Map,
             stack:List,
-            ExternalCallEnvCell)
+            ExternalCallEnvCell,
+            performedActions:List)
       [function, functional]
 
   rule countCanSignRhs(
@@ -78,7 +84,8 @@ module COUNT-CAN-SIGN-PARTS
             ActionState:ActionStateCell,
             Variables:Map,
             Stack:List,
-            ExternalCallEnv:ExternalCallEnvCell)
+            ExternalCallEnv:ExternalCallEnvCell,
+            PerformedActions:List)
       => <TT>
           <k>
             evaluate(Count) ~> K
@@ -99,6 +106,9 @@ module COUNT-CAN-SIGN-PARTS
               <stack>Stack</stack>
             </pseudocode-state>
             ExternalCallEnv
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index 91cc11831..cf6aea60c 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -70,6 +70,9 @@ module INIT-LOOP-PARTS
               <stack> Stack </stack>
             </pseudocode-state>
             ExternalCallEnv
+            <log>
+              <performed-actions>.List</performed-actions>
+            </log>
           </state>
         </TT>
 
@@ -130,6 +133,9 @@ module INIT-LOOP-PARTS
               <stack> Stack </stack>
             </pseudocode-state>
             ExternalCallEnv
+            <log>
+              <performed-actions>.List</performed-actions>
+            </log>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 9c47cb237..c7e0c8175 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -47,6 +47,7 @@ endmodule
 
 module PERFORM-SPLIT-ACTION-INSTRUMENTATION
   imports PSEUDOCODE
+  imports CONCRETIZE-INSTRUMENTATION
 
   syntax KItem ::= "splitting-action"
   rule  <k> pushContext ~> (.K => splitAction(A) ~> splitting-action) ~> call(performAction(A:Action))
@@ -57,23 +58,30 @@ module PERFORM-SPLIT-ACTION-INSTRUMENTATION
 
   syntax KItem ::= splitAction(Action)
   rule splitAction(Nothing) => .K
-  rule splitAction(AddBoardMember(_:Address)) => .K
-  rule splitAction(AddProposer(_:Address)) => .K
-  rule splitAction(RemoveUser(address(_:Int))) => .K
-  rule splitAction(ChangeQuorum(_:Usize)) => .K
-  rule splitAction(SendEgld(_To:Address, _Amount:BigUint, _Data:BoxedBytes)) => .K
+  rule splitAction(AddBoardMember(A:Address)) => concretizeValue(A)
+  rule splitAction(AddProposer(A:Address)) => concretizeValue(A)
+  rule splitAction(RemoveUser(A:Address)) => concretizeValue(A)
+  rule splitAction(ChangeQuorum(Q:Usize)) => concretizeValue(Q)
+  rule splitAction(SendEgld(To:Address, Amount:BigUint, Data:BoxedBytes)) =>
+      concretizeValue(To) ~> concretizeValue(Amount) ~> concretizeValue(Data)
   rule splitAction(SCDeploy(
-          _Amount:BigUint,
-          _Code:BoxedBytes,
-          _CodeMetadata:CodeMetadata,
-          _Arguments:ExpressionList))
-      => .K
+          Amount:BigUint,
+          Code:BoxedBytes,
+          CodeMetadata:CodeMetadata,
+          Arguments:ExpressionList))
+      =>   concretizeValue(Amount)
+        ~> concretizeValue(Code)
+        ~> concretizeValue(CodeMetadata)
+        ~> concretizeValue(Arguments)
   rule splitAction(SCCall(
-          _To:Address,
-          _Amount:BigUint,
-          _Function:BoxedBytes,
-          _Arguments:ExpressionList))
-      => .K
+          To:Address,
+          Amount:BigUint,
+          Function:BoxedBytes,
+          Arguments:ExpressionList))
+      =>   concretizeValue(To)
+        ~> concretizeValue(Amount)
+        ~> concretizeValue(Function)
+        ~> concretizeValue(Arguments)
 
 endmodule
 
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index 5d6a2dc1d..c84736c4b 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -66,7 +66,8 @@ module PERFORM-PARTS
       quorum:Usize,
       ActionStateCell,
       stack:List,
-      callerAddress:Address)
+      callerAddress:Address,
+      performedActions:List)
     [function, functional]
   syntax TTCell ::= performRhs(
           result:KItem,
@@ -81,7 +82,8 @@ module PERFORM-PARTS
           ActionStateCell,
           variables:Map,
           stack:List,
-          callerAddress:Address)
+          callerAddress:Address,
+          performedActions:List)
       [function, functional]
 
   rule performRequires(
@@ -218,7 +220,8 @@ module PERFORM-PARTS
           Quorum:Usize,
           ActionState:ActionStateCell,
           Stack:List,
-          CallerAddress:Address)
+          CallerAddress:Address,
+          PerformedActions:List)
         =>
         <TT>
           <k> call(performAction(Action)) ~> K </k>
@@ -246,6 +249,9 @@ module PERFORM-PARTS
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
         </TT>
 
@@ -262,7 +268,8 @@ module PERFORM-PARTS
           ActionState:ActionStateCell,
           Variables:Map,
           Stack:List,
-          CallerAddress:Address)
+          CallerAddress:Address,
+          PerformedActions:List)
         =>
         <TT>
           <k> Result ~> K </k>
@@ -290,6 +297,9 @@ module PERFORM-PARTS
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
         </TT>
 
diff --git a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
index bf61af377..162f95c71 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
@@ -12,7 +12,8 @@ module TRUSTED-COUNT-CAN-SIGN
                 ActionState:ActionStateCell,
                 Variables:Map,
                 Stack:List,
-                ExternalCallEnv:ExternalCallEnvCell)
+                ExternalCallEnv:ExternalCallEnvCell,
+                PerformedActions:List)
         </T>
       => <T> countCanSignRhs(
                 u(countCanSignFunction(SignerIds, opaque(UserIdToRole))),
@@ -25,7 +26,8 @@ module TRUSTED-COUNT-CAN-SIGN
                 ActionState,
                 ?Variables:Map,
                 Stack,
-                ExternalCallEnv)
+                ExternalCallEnv,
+                PerformedActions:List)
         </T>
     requires
         countCanSignRequires(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
index 78c07e0a6..8a1060ab7 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
@@ -35,7 +35,8 @@ module PROOF-DISCARD-ACTION
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -50,7 +51,8 @@ module PROOF-DISCARD-ACTION
               Quorum,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-init.k b/multisig/protocol-correctness/proof/invariant/proof-init.k
index 1d90e9945..f65107d2f 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-init.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-init.k
@@ -34,7 +34,8 @@ module PROOF-INIT
               ?Quorum:Usize,
               ?ActionLastIndex:Usize,
               ?ActionData:Map,
-              ?ActionSigners:Map)
+              ?ActionSigners:Map,
+              ?PerformedActions:List)
         </TT></T>
     requires    listElementsAreAddresses(Addresses)
         //andBool noCommonItem(u(1), .Map, Addresses)
@@ -65,6 +66,7 @@ module PROOF-INIT
                 ?Quorum:Usize,
                 ?ActionLastIndex:Usize,
                 ?ActionData:Map,
-                ?ActionSigners:Map)
+                ?ActionSigners:Map,
+                ?PerformedActions:List)
               ==K initialState
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
index 6b2fb9373..a1ef9d5e5 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
@@ -25,7 +25,8 @@ module PROOF-PERFORM-ACTION-ENDPOINT
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              _PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -40,7 +41,8 @@ module PROOF-PERFORM-ACTION-ENDPOINT
               ?Quorum1:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
@@ -80,7 +82,8 @@ module PROOF-PERFORM-ACTION-ENDPOINT
               Quorum:Usize,
               ActionLastIndex:Usize,
               ActionData:Map,
-              ActionSigners:Map):StateCell
+              ActionSigners:Map,
+              _PerformedActions:List):StateCell
         </TT></T>
       =>
         <T><TT>
@@ -95,7 +98,8 @@ module PROOF-PERFORM-ACTION-ENDPOINT
               Quorum:Usize,
               ActionLastIndex:Usize,
               ActionData:Map,
-              ActionSigners:Map):StateCell
+              ActionSigners:Map,
+              ?_PerformedActions:List):StateCell
         </TT></T>
 
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
index 5a6f67f9e..9be5ee9ab 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action.k
@@ -35,137 +35,53 @@ module TRUSTED-PERFORM-ACTION
           ~> clearExternalCallEnv
           ~> runExternalCalls ( EC )
         </k>
-        <state>
-          <multisig-state>
-            <users>
-              <num-users>NumUsers:Usize</num-users>
-              <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-              <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-            </users>
-            <board-state>
-              <num-board-members>NumBoardMembers:Usize</num-board-members>
-              <num-proposers>NumProposers:Usize</num-proposers>
-              <user-roles>UserRoles:Map</user-roles>
-              <quorum>Quorum:Usize</quorum>
-            </board-state>
-            <action-state>
-              <action-last-index>ActionLastIndex0:Usize</action-last-index>
-              <actions>
-                <action-data>ActionData0:Map</action-data>
-                <action-signers>ActionSigners0:Map</action-signers>
-              </actions>
-            </action-state>
-          </multisig-state>
-          <pseudocode-state>
-            <variables>.Map</variables>
-            <stack>
+        invariantStateStack(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            CallerAddress:Address,
+            ListItem(stackEntry(_:MultisigStateCell, _:Map))
+              ListItem(stackEntry(_:MultisigStateCell, _:Map))
               ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>_:Usize</num-users>
-                    <user-id-to-address>_:Map</user-id-to-address>
-                    <address-to-user-id>_:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>_:Usize</num-board-members>
-                    <num-proposers>_:Usize</num-proposers>
-                    <user-roles>_:Map</user-roles>
-                    <quorum>_:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>_:Usize</action-last-index>
-                    <actions>
-                      <action-data>_:Map</action-data>
-                      <action-signers>_:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                _:Map))
-              ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>_:Usize</num-users>
-                    <user-id-to-address>_:Map</user-id-to-address>
-                    <address-to-user-id>_:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>_:Usize</num-board-members>
-                    <num-proposers>_:Usize</num-proposers>
-                    <user-roles>_:Map</user-roles>
-                    <quorum>_:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>_:Usize</action-last-index>
-                    <actions>
-                      <action-data>_:Map</action-data>
-                      <action-signers>_:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                _:Map))
-              ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>NumUsersS:Usize</num-users>
-                    <user-id-to-address>UserIdToAddressS:Map</user-id-to-address>
-                    <address-to-user-id>AddressToUserIdS:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>NumBoardMembersS:Usize</num-board-members>
-                    <num-proposers>NumProposersS:Usize</num-proposers>
-                    <user-roles>UserRolesS:Map</user-roles>
-                    <quorum>QuorumS:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>ActionLastIndexS:Usize</action-last-index>
-                    <actions>
-                      <action-data>ActionDataS:Map</action-data>
-                      <action-signers>ActionSignersS:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                .Map))
-            </stack>
-          </pseudocode-state>
-          <external-call-env>
-            <caller-address>CallerAddress:Address</caller-address>
-          </external-call-env>
-        </state>
+                invariantMultisigState(
+                    NumUsersS:Usize,
+                    UserIdToAddressS:Map,
+                    AddressToUserIdS:Map,
+                    NumBoardMembersS:Usize,
+                    NumProposersS:Usize,
+                    UserRolesS:Map,
+                    QuorumS:Usize,
+                    ActionLastIndexS:Usize,
+                    ActionDataS:Map,
+                    ActionSignersS:Map):MultisigStateCell,
+                .Map)),
+            _PerformedActions:List)
       </TT></T>
     =>
       <T><TT>
         <k> clearExternalCallEnv
-            ~> runExternalCalls(EC)
-        </k>
-        <state>
-          <multisig-state>
-            <users>
-              <num-users>u(?NumUsers1:Int)</num-users>
-              <user-id-to-address>?UserIdToAddress1:Map</user-id-to-address>
-              <address-to-user-id>?AddressToUserId1:Map</address-to-user-id>
-            </users>
-            <board-state>
-              <num-board-members>u(?NumBoardMembers1:Int)</num-board-members>
-              <num-proposers>u(?NumProposers1:Int)</num-proposers>
-              <user-roles>?UserRoles1:Map</user-roles>
-              <quorum>u(?Quorum1:Int)</quorum>
-            </board-state>
-            <action-state>
-              <action-last-index>u(?ActionLastIndex1:Int)</action-last-index>
-              <actions>
-                <action-data>?ActionData1:Map</action-data>
-                <action-signers>?ActionSigners1:Map</action-signers>
-              </actions>
-            </action-state>
-          </multisig-state>
-          <pseudocode-state>
-            <variables>.Map</variables>
-            <stack>.List</stack>
-          </pseudocode-state>
-          <external-call-env>
-            <caller-address>CallerAddress:Address</caller-address>
-          </external-call-env>
-        </state>
+            ~> runExternalCalls(EC) </k>
+        invariantStateStack(
+            u(?NumUsers1:Int),
+            ?UserIdToAddress1:Map,
+            ?AddressToUserId1:Map,
+            u(?NumBoardMembers1:Int),
+            u(?NumProposers1:Int),
+            ?UserRoles1:Map,
+            u(?Quorum1:Int),
+            u(?ActionLastIndex1:Int),
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            CallerAddress:Address,
+            .List,
+            ?_PerformedActions:List):StateCell
       </TT></T>
     requires true
       andBool invariant(
@@ -246,137 +162,54 @@ module PROOF-PERFORM-ACTION
           ~> clearExternalCallEnv
           ~> runExternalCalls ( EC )
         </k>
-        <state>
-          <multisig-state>
-            <users>
-              <num-users>NumUsers:Usize</num-users>
-              <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-              <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-            </users>
-            <board-state>
-              <num-board-members>NumBoardMembers:Usize</num-board-members>
-              <num-proposers>NumProposers:Usize</num-proposers>
-              <user-roles>UserRoles:Map</user-roles>
-              <quorum>Quorum:Usize</quorum>
-            </board-state>
-            <action-state>
-              <action-last-index>ActionLastIndex0:Usize</action-last-index>
-              <actions>
-                <action-data>ActionData0:Map</action-data>
-                <action-signers>ActionSigners0:Map</action-signers>
-              </actions>
-            </action-state>
-          </multisig-state>
-          <pseudocode-state>
-            <variables>.Map</variables>
-            <stack>
+        invariantStateStack(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            CallerAddress:Address,
+            ListItem(stackEntry(_:MultisigStateCell, _:Map, _:List))
+              ListItem(stackEntry(_:MultisigStateCell, _:Map, _:List))
               ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>_:Usize</num-users>
-                    <user-id-to-address>_:Map</user-id-to-address>
-                    <address-to-user-id>_:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>_:Usize</num-board-members>
-                    <num-proposers>_:Usize</num-proposers>
-                    <user-roles>_:Map</user-roles>
-                    <quorum>_:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>_:Usize</action-last-index>
-                    <actions>
-                      <action-data>_:Map</action-data>
-                      <action-signers>_:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                _:Map))
-              ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>_:Usize</num-users>
-                    <user-id-to-address>_:Map</user-id-to-address>
-                    <address-to-user-id>_:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>_:Usize</num-board-members>
-                    <num-proposers>_:Usize</num-proposers>
-                    <user-roles>_:Map</user-roles>
-                    <quorum>_:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>_:Usize</action-last-index>
-                    <actions>
-                      <action-data>_:Map</action-data>
-                      <action-signers>_:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                _:Map))
-              ListItem(stackEntry(
-                <multisig-state>
-                  <users>
-                    <num-users>NumUsersS:Usize</num-users>
-                    <user-id-to-address>UserIdToAddressS:Map</user-id-to-address>
-                    <address-to-user-id>AddressToUserIdS:Map</address-to-user-id>
-                  </users>
-                  <board-state>
-                    <num-board-members>NumBoardMembersS:Usize</num-board-members>
-                    <num-proposers>NumProposersS:Usize</num-proposers>
-                    <user-roles>UserRolesS:Map</user-roles>
-                    <quorum>QuorumS:Usize</quorum>
-                  </board-state>
-                  <action-state>
-                    <action-last-index>ActionLastIndexS:Usize</action-last-index>
-                    <actions>
-                      <action-data>ActionDataS:Map</action-data>
-                      <action-signers>ActionSignersS:Map</action-signers>
-                    </actions>
-                  </action-state>
-                </multisig-state>,
-                .Map))
-            </stack>
-          </pseudocode-state>
-          <external-call-env>
-            <caller-address>CallerAddress:Address</caller-address>
-          </external-call-env>
-        </state>
+                invariantMultisigState(
+                    NumUsersS:Usize,
+                    UserIdToAddressS:Map,
+                    AddressToUserIdS:Map,
+                    NumBoardMembersS:Usize,
+                    NumProposersS:Usize,
+                    UserRolesS:Map,
+                    QuorumS:Usize,
+                    ActionLastIndexS:Usize,
+                    ActionDataS:Map,
+                    ActionSignersS:Map):MultisigStateCell,
+                .Map,
+                _PerformedActionsS:List)),
+            _PerformedActions:List)
       </TT></T>
     =>
       <T><TT>
         <k> clearExternalCallEnv
-            ~> runExternalCalls(EC)
-        </k>
-        <state>
-          <multisig-state>
-            <users>
-              <num-users>u(?NumUsers1:Int)</num-users>
-              <user-id-to-address>?UserIdToAddress1:Map</user-id-to-address>
-              <address-to-user-id>?AddressToUserId1:Map</address-to-user-id>
-            </users>
-            <board-state>
-              <num-board-members>u(?NumBoardMembers1:Int)</num-board-members>
-              <num-proposers>u(?NumProposers1:Int)</num-proposers>
-              <user-roles>?UserRoles1:Map</user-roles>
-              <quorum>u(?Quorum1:Int)</quorum>
-            </board-state>
-            <action-state>
-              <action-last-index>u(?ActionLastIndex1:Int)</action-last-index>
-              <actions>
-                <action-data>?ActionData1:Map</action-data>
-                <action-signers>?ActionSigners1:Map</action-signers>
-              </actions>
-            </action-state>
-          </multisig-state>
-          <pseudocode-state>
-            <variables>.Map</variables>
-            <stack>.List</stack>
-          </pseudocode-state>
-          <external-call-env>
-            <caller-address>CallerAddress:Address</caller-address>
-          </external-call-env>
-        </state>
+            ~> runExternalCalls(EC) </k>
+        invariantStateStack(
+            u(?NumUsers1:Int),
+            ?UserIdToAddress1:Map,
+            ?AddressToUserId1:Map,
+            u(?NumBoardMembers1:Int),
+            u(?NumProposers1:Int),
+            ?UserRoles1:Map,
+            u(?Quorum1:Int),
+            u(?ActionLastIndex1:Int),
+            ?ActionData1:Map,
+            ?ActionSigners1:Map,
+            CallerAddress:Address,
+            .List,
+            ?_PerformedActions:List):StateCell
       </TT></T>
     requires true
       andBool invariant(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
index 71dfa0d75..bf3beb4aa 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
@@ -22,7 +22,8 @@ module TRUSTED-PERFORM-ADD-BOARD-MEMBER
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -39,7 +40,8 @@ module TRUSTED-PERFORM-ADD-BOARD-MEMBER
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -83,7 +85,8 @@ module PROOF-PERFORM-ADD-BOARD-MEMBER
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -100,7 +103,8 @@ module PROOF-PERFORM-ADD-BOARD-MEMBER
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
index a25809a32..4b7bad098 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
@@ -18,7 +18,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-1
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -35,7 +36,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-1
             ActionState,
             ?_Variables:Map,
             Stack,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -71,7 +73,8 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -88,7 +91,8 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
index dfd04ff37..e62d02850 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -91,7 +93,8 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -108,7 +111,8 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
index e89fc27bf..026e356f8 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -91,7 +93,8 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -108,7 +111,8 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
index dc3a529a7..25db25a01 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -91,7 +93,8 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -108,7 +111,8 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
index 50fed9864..939a48ea1 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-8
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-8
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -90,7 +92,8 @@ module PROOF-PERFORM-ADD-PROPOSER-8
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -107,7 +110,8 @@ module PROOF-PERFORM-ADD-PROPOSER-8
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
index ab3e7d59d..61e5bda20 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
@@ -22,7 +22,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-9
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -39,7 +40,8 @@ module TRUSTED-PERFORM-ADD-PROPOSER-9
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -84,7 +86,8 @@ module PROOF-PERFORM-ADD-PROPOSER-9
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -101,7 +104,8 @@ module PROOF-PERFORM-ADD-PROPOSER-9
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
index cd7c98f5f..b5322290a 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
@@ -15,7 +15,8 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             OldQuorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -32,7 +33,8 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -68,7 +70,8 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             OldQuorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -85,7 +88,8 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -125,7 +129,8 @@ module PROOF-PERFORM-CHANGE-QUORUM
             OldQuorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -142,7 +147,8 @@ module PROOF-PERFORM-CHANGE-QUORUM
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -177,7 +183,8 @@ module PROOF-PERFORM-CHANGE-QUORUM
             OldQuorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -194,7 +201,8 @@ module PROOF-PERFORM-CHANGE-QUORUM
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
index 613e06ffc..ab0e1e43d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
@@ -15,7 +15,8 @@ module TRUSTED-PERFORM-NOTHING
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -32,7 +33,8 @@ module TRUSTED-PERFORM-NOTHING
             ActionState,
             ?_Variables:Map,
             Stack,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -71,7 +73,8 @@ module PROOF-PERFORM-NOTHING
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -88,7 +91,8 @@ module PROOF-PERFORM-NOTHING
             ActionState,
             ?_Variables:Map,
             Stack,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
index 76ace8c93..c9cf9bc63 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             u(Quorum:Int),
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -94,7 +96,8 @@ module PROOF-PERFORM-REMOVE-USER-1
             u(Quorum:Int),
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -111,7 +114,8 @@ module PROOF-PERFORM-REMOVE-USER-1
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
index c2519c048..19523700d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -22,7 +22,8 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -39,7 +40,8 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -86,7 +88,8 @@ module PROOF-PERFORM-REMOVE-USER-10
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -103,7 +106,8 @@ module PROOF-PERFORM-REMOVE-USER-10
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
index 16ecafed0..51283384d 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
@@ -18,7 +18,8 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             u(Quorum:Int),
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -35,7 +36,8 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -75,7 +77,8 @@ module PROOF-PERFORM-REMOVE-USER-3
             u(Quorum:Int),
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -92,7 +95,8 @@ module PROOF-PERFORM-REMOVE-USER-3
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
index 91010586e..e3fea2a9a 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -25,7 +25,8 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             u(Quorum:Int),
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -42,7 +43,8 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -96,7 +98,8 @@ module PROOF-PERFORM-REMOVE-USER-5
             u(Quorum:Int),
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -113,7 +116,8 @@ module PROOF-PERFORM-REMOVE-USER-5
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
index fe8bc9b33..7413bc6d8 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
@@ -18,7 +18,8 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             u(Quorum:Int),
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -35,7 +36,8 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -74,7 +76,8 @@ module PROOF-PERFORM-REMOVE-USER-7
             u(Quorum:Int),
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            _PerformedActions:List)
       </T>
       =>
       <T>
@@ -91,7 +94,8 @@ module PROOF-PERFORM-REMOVE-USER-7
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ?_PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
index 77977ad12..0ea3bf3df 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -22,7 +22,8 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -39,7 +40,8 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequiresHandling(
             Action,
@@ -88,7 +90,8 @@ module PROOF-PERFORM-REMOVE-USER-9
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -105,7 +108,8 @@ module PROOF-PERFORM-REMOVE-USER-9
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
index ada1e0f64..3df8955ca 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
@@ -19,7 +19,8 @@ module TRUSTED-PERFORM-S-C-CALL
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -36,7 +37,8 @@ module TRUSTED-PERFORM-S-C-CALL
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -71,7 +73,8 @@ module PROOF-PERFORM-S-C-CALL
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -88,7 +91,8 @@ module PROOF-PERFORM-S-C-CALL
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
index 72abceb2a..c609dc217 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
@@ -19,7 +19,8 @@ module TRUSTED-PERFORM-S-C-DEPLOY
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -36,7 +37,8 @@ module TRUSTED-PERFORM-S-C-DEPLOY
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -71,7 +73,8 @@ module PROOF-PERFORM-S-C-DEPLOY
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -88,7 +91,8 @@ module PROOF-PERFORM-S-C-DEPLOY
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
index aad935b68..a58304288 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
@@ -15,7 +15,8 @@ module TRUSTED-PERFORM-SEND-EGLD
             Quorum:Usize,
             ActionState:ActionStateCell,
             Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -32,7 +33,8 @@ module TRUSTED-PERFORM-SEND-EGLD
             ActionState,
             ?_Variables:Map,
             Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
@@ -63,7 +65,8 @@ module PROOF-PERFORM-SEND-EGLD
             Quorum:Usize,
             ActionState:ActionStateCell,
             .List, // TODO: Stack:List,
-            CallerAddress:Address)
+            CallerAddress:Address,
+            PerformedActions:List)
       </T>
       =>
       <T>
@@ -80,7 +83,8 @@ module PROOF-PERFORM-SEND-EGLD
             ActionState,
             ?_Variables:Map,
             .List, // TODO: Stack:List,
-            CallerAddress)
+            CallerAddress,
+            ListItem(Action) PerformedActions:List)
       </T>
     requires performRequires(
             Action,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
index cf4cccd08..61b08439f 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
@@ -31,7 +31,8 @@ module PROOF-PROPOSE-ADD-BOARD-MEMBER
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -46,7 +47,8 @@ module PROOF-PROPOSE-ADD-BOARD-MEMBER
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
index 491acd437..ce28677e2 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-proposer.k
@@ -31,7 +31,8 @@ module PROOF-PROPOSE-ADD-PROPOSER
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -46,7 +47,8 @@ module PROOF-PROPOSE-ADD-PROPOSER
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
index 0575e1025..376838286 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-change-quorum.k
@@ -31,7 +31,8 @@ module PROOF-PROPOSE-CHANGE-QUORUM
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -46,7 +47,8 @@ module PROOF-PROPOSE-CHANGE-QUORUM
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
index 5d91f9f64..e90fc2fbe 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-remove-user.k
@@ -31,7 +31,8 @@ module PROOF-PROPOSE-REMOVE-USER
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -46,7 +47,8 @@ module PROOF-PROPOSE-REMOVE-USER
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
index 1589b3f27..d0673b17a 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-call.k
@@ -35,7 +35,8 @@ module PROOF-PROPOSE-SC-CALL
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -50,7 +51,8 @@ module PROOF-PROPOSE-SC-CALL
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
index 4182e05a5..db06b3175 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-sc-deploy.k
@@ -37,7 +37,8 @@ module PROOF-PROPOSE-SC-DEPLOY
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -52,7 +53,8 @@ module PROOF-PROPOSE-SC-DEPLOY
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
index ad8d61608..4ee865f64 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-send-egld.k
@@ -31,7 +31,8 @@ module PROOF-PROPOSE-SEND-EGLD
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -46,7 +47,8 @@ module PROOF-PROPOSE-SEND-EGLD
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-sign.k b/multisig/protocol-correctness/proof/invariant/proof-sign.k
index f012a137e..085da157e 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-sign.k
@@ -35,7 +35,8 @@ module PROOF-SIGN
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -50,7 +51,8 @@ module PROOF-SIGN
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-unsign.k b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
index 4fb78a2c2..0f1989a87 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-unsign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-unsign.k
@@ -39,7 +39,8 @@ module PROOF-UNSIGN
               Quorum:Usize,
               ActionLastIndex0:Usize,
               ActionData0:Map,
-              ActionSigners0:Map)
+              ActionSigners0:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -54,7 +55,8 @@ module PROOF-UNSIGN
               Quorum:Usize,
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
-              ?ActionSigners1:Map):StateCell
+              ?ActionSigners1:Map,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
         NumUsers:Usize,
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
index 380798c1c..f404979e6 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-2.k
@@ -28,7 +28,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionSigners:Map)
+              ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -43,7 +44,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-2
               Quorum,
               ActionLastIndex,
               ActionData,
-              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+              (ActionIndex |-> ?Signatures) ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
@@ -116,7 +118,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-2
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionSigners:Map)
+              ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -131,7 +134,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-2
               Quorum,
               ActionLastIndex,
               ActionData,
-              (ActionIndex |-> ?Signatures) ActionSigners):StateCell
+              (ActionIndex |-> ?Signatures) ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
index bf33f120d..26b080f76 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for-3.k
@@ -18,7 +18,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionSigners:Map)
+              ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -33,7 +34,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR-3
               Quorum,
               ActionLastIndex,
               ActionData,
-              ActionSigners):StateCell
+              ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
@@ -83,7 +85,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-3
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionSigners:Map)
+              ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -98,7 +101,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR-3
               Quorum,
               ActionLastIndex,
               ActionData,
-              ActionSigners):StateCell
+              ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
diff --git a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
index fe0c62479..d5a9eb488 100644
--- a/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
+++ b/multisig/protocol-correctness/proof/properties/proof-board-members-sign-for.k
@@ -26,7 +26,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map)
+              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -41,7 +42,8 @@ module TRUSTED-BOARD-MEMBERS-SIGN-FOR
               Quorum,
               ActionLastIndex,
               ActionData,
-              ActionIndex |-> ?Signatures ActionSigners):StateCell
+              ActionIndex |-> ?Signatures ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
@@ -112,7 +114,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR
               Quorum:Usize,
               ActionLastIndex:Usize,
               (ActionIndex |-> _Action:KItem _ActionData:Map) #as ActionData:Map,
-              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map)
+              ActionIndex |-> Signatures:ExpressionList ActionSigners:Map,
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -127,7 +130,8 @@ module PROOF-BOARD-MEMBERS-SIGN-FOR
               Quorum,
               ActionLastIndex,
               ActionData,
-              ActionIndex |-> ?Signatures ActionSigners):StateCell
+              ActionIndex |-> ?Signatures ActionSigners,
+              PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
             NumUsers,
diff --git a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
index f3fa3fe77..9ab6ebe54 100644
--- a/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
+++ b/multisig/protocol-correctness/proof/properties/proof-can-propose-and-execute.k
@@ -43,7 +43,8 @@ module PROOF-CAN-PROPOSE-AND-EXECUTE
               Quorum:Usize,
               ActionLastIndex:Usize,
               ActionData:Map,
-              ActionSigners:Map)
+              ActionSigners:Map,
+              _PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
@@ -58,7 +59,8 @@ module PROOF-CAN-PROPOSE-AND-EXECUTE
               u(0),
               add(ActionLastIndex, u(1)),
               ActionData:Map,
-              ActionSigners:Map):StateCell
+              ActionSigners:Map,
+              ?_PerformedActions:List):StateCell
         </TT></T>
     requires invariant(
           NumUsers:Usize,
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index a9df25646..fe484105c 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -130,7 +130,8 @@ module PSEUDOCODE-SYNTAX
                       |   "pushList"                  // ([list], Usize)
                       |   "isEmptyActionData"         // (action_id)
                       |   "canSign"                   // (user_id)
-                      |   "performAction"             // (action_id)
+                      |   "performAction"             // (action)
+                      |   "performActionNoLogging"    // (action)
                       |   "performActionFromId"       // (action_id)
                       |   "quorumReached"             // (action_id)
                       |   "clearAction"               // (action_id)
@@ -497,7 +498,7 @@ module PSEUDOCODE-FUNCTIONS
   syntax KItem ::= call(Expression)
   syntax KItem ::= Expression
 
-  syntax Stack ::= stackEntry(MultisigStateCell, Map)
+  syntax Stack ::= stackEntry(MultisigStateCell, variables:Map, performedActions:List)
 
   context evaluate(_:FunctionTag(
           {HOLE => evaluateAc(HOLE)}:>ArgumentCSV
@@ -518,9 +519,12 @@ module PSEUDOCODE-FUNCTIONS
           S:MultisigStateCell
           <pseudocode-state>
             <variables> V:Map => .Map </variables>
-            <stack> (.List => ListItem(stackEntry(S, V))) ... </stack>
+            <stack> (.List => ListItem(stackEntry(S, V, Log))) ... </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
+          <log>
+            <performed-actions>Log:List</performed-actions>
+          </log>
         </state>
 
   rule  <k> (evaluate(E:Expression) => E) ~> popContext ... </k>
@@ -528,7 +532,7 @@ module PSEUDOCODE-FUNCTIONS
 
   rule  <k> E:Expression ~> (popContext => .K) ... </k>
         <variables> _ => V </variables>
-        <stack> (ListItem(stackEntry(_, V:Map)) => .List) ... </stack>
+        <stack> (ListItem(stackEntry(_, V:Map, _)) => .List) ... </stack>
     requires isKResult(E)
 
   rule  <k> (E:Expression ~> evaluateReturnValue) => evaluate(E) ... </k>
@@ -539,9 +543,12 @@ module PSEUDOCODE-FUNCTIONS
           (_ => S)
           <pseudocode-state>
             <variables> _ => V </variables>
-            <stack> (ListItem(stackEntry(S:MultisigStateCell, V:Map)) => .List) ... </stack>
+            <stack> (ListItem(stackEntry(S:MultisigStateCell, V:Map, Log:List)) => .List) ... </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
+          <log>
+            <performed-actions>_:List => Log</performed-actions>
+          </log>
         </state>
 
   rule <k> error ~> (evaluateReturnValue => .K) ... </k>
@@ -890,21 +897,26 @@ module PSEUDOCODE-FUNCTIONS
 
         )
 
-  rule call(performAction(Nothing)) => evaluate(void)
+  rule  <k> call(performAction(Action:Action))
+            => call(performActionNoLogging(Action))
+        ...</k>
+        <performed-actions> Log:List => ListItem(Action) Log </performed-actions>
+
+  rule call(performActionNoLogging(Nothing)) => evaluate(void)
 
-  rule call(performAction(AddBoardMember(BoardMemberAddress:Address)))
+  rule call(performActionNoLogging(AddBoardMember(BoardMemberAddress:Address)))
         => runPseudoCode(
               changeUserRole(BoardMemberAddress, BoardMember);
         )
 
-  rule call(performAction(AddProposer(ProposerAddress:Address)))
+  rule call(performActionNoLogging(AddProposer(ProposerAddress:Address)))
         => runPseudoCode(
               changeUserRole(ProposerAddress, Proposer);
               new_board_members = getNumBoardMembers();
               require(getQuorum() <= new_board_members);
         )
 
-  rule call(performAction(RemoveUser(UserAddress:Address)))
+  rule call(performActionNoLogging(RemoveUser(UserAddress:Address)))
         => runPseudoCode(
               changeUserRole(UserAddress, None);
               num_board_members = getNumBoardMembers();
@@ -913,18 +925,18 @@ module PSEUDOCODE-FUNCTIONS
               require(getQuorum() <= num_board_members);
         )
 
-  rule call(performAction(ChangeQuorum(NewQuorum)))
+  rule call(performActionNoLogging(ChangeQuorum(NewQuorum)))
         => runPseudoCode(
               require(NewQuorum <= getNumBoardMembers());
               setQuorum(NewQuorum);
         )
 
-  rule call(performAction(SendEgld(To:Address, Amount:BigUint, Data:BoxedBytes)))
+  rule call(performActionNoLogging(SendEgld(To:Address, Amount:BigUint, Data:BoxedBytes)))
         => runPseudoCode(
               sendTx(To, Amount, Data);
         )
 
-  rule call(performAction(SCDeploy(
+  rule call(performActionNoLogging(SCDeploy(
             Amount:BigUint,
             Code:BoxedBytes,
             CodeMetadata:CodeMetadata,
@@ -936,7 +948,7 @@ module PSEUDOCODE-FUNCTIONS
               void;
         )
 
-  rule call(performAction(SCCall(To:Address, Amount:BigUint, Function:BoxedBytes, [Arguments:ExpressionCSV])))
+  rule call(performActionNoLogging(SCCall(To:Address, Amount:BigUint, Function:BoxedBytes, [Arguments:ExpressionCSV])))
         => runPseudoCode(
               asyncCall(To, Amount, [Function , Arguments]);
         )
@@ -1256,6 +1268,9 @@ module PSEUDOCODE-CONFIGURATION
           <external-call-env>
             <caller-address>uninitialized</caller-address>
           </external-call-env>
+          <log>
+            <performed-actions>.List</performed-actions>
+          </log>
         </state>
     </TT>
   </T>
@@ -1290,5 +1305,8 @@ module PSEUDOCODE-CONFIGURATION
         <external-call-env>
           <caller-address>uninitialized</caller-address>
         </external-call-env>
+        <log>
+          <performed-actions>.List</performed-actions>
+        </log>
       </state>
 endmodule

From 3f79466ed1c98205a06d56bc88bf85204e9e85f3 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 6 Apr 2021 00:47:15 +0300
Subject: [PATCH 20/37] Malicious user properties

---
 .../proof/malicious-user/Makefile             | 26 +++++++++
 .../malicious-user/malicious-user-execute.k   | 11 ++++
 .../proof/malicious-user/malicious-user.mak   | 41 ++++++++++++++
 .../malicious-user/proof-cannot-perform.k     | 55 +++++++++++++++++++
 4 files changed, 133 insertions(+)
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/Makefile
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k

diff --git a/multisig/protocol-correctness/proof/malicious-user/Makefile b/multisig/protocol-correctness/proof/malicious-user/Makefile
new file mode 100644
index 000000000..f5d0cb32a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/Makefile
@@ -0,0 +1,26 @@
+include ../settings.mak
+
+.PHONY: default
+default: all ;
+
+SCRIPT_DIR=..
+
+PROOF_DIR := ..
+include ../proof-dependency.mak
+
+# MAP_DIR := ../map
+# include $(MAP_DIR)/map.mak
+
+INVARIANT_DIR := ../invariant
+include $(INVARIANT_DIR)/invariant.mak
+
+MALICIOUS_USER_DIR := .
+include malicious_user.mak
+
+.PHONY: all clean execution
+
+all: out/malicious_user.proof.timestamp
+
+execution: out/malicious_user.execution.timestamp
+
+clean: malicious_user.clean
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
new file mode 100644
index 000000000..053c3d957
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
@@ -0,0 +1,11 @@
+require "../execution-proof.k"
+require "../invariant/invariant-execution.k"
+
+module MALICIOUS-USER-EXECUTE-SYNTAX
+  imports EXECUTION-PROOF-SYNTAX
+endmodule
+
+module MALICIOUS-USER-EXECUTE
+  imports EXECUTION-PROOF
+  imports INVARIANT-EXECUTION
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
new file mode 100644
index 000000000..12bbc1407
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
@@ -0,0 +1,41 @@
+MALICIOUS_USER_OUT_PREFIX=out/malicious_user.
+
+MALICIOUS_USER_ALL := $(wildcard $(MALICIOUS_USER_DIR)/*.k)
+MALICIOUS_USER_PROOFS := $(wildcard $(MALICIOUS_USER_DIR)/proof-*.k)
+MALICIOUS_USER_EXECUTION := $(filter-out $(MALICIOUS_USER_PROOFS), $(MALICIOUS_USER_ALL)) $(PROOF_EXECUTION) $(INVARIANT_EXECUTION)
+
+MALICIOUS_USER_PROOF_TIMESTAMPS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.timestamp}))
+MALICIOUS_USER_PROOF_DEBUGGERS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.debugger}))
+
+.PHONY: malicious_user.clean ${MALICIOUS_USER_PROOF_DEBUGGERS}
+
+$(MALICIOUS_USER_OUT_PREFIX)proof.timestamp: ${MALICIOUS_USER_PROOF_TIMESTAMPS}
+	$(DIR_GUARD)
+	@touch $(MALICIOUS_USER_OUT_PREFIX)proof.timestamp
+
+$(MALICIOUS_USER_OUT_PREFIX)proof-%.timestamp: ${MALICIOUS_USER_DIR}/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Proving $*..."
+	@cat /proc/uptime | sed 's/\s.*//' > $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp
+	@((kprove $< --directory $(MALICIOUS_USER_DIR) --haskell-backend-command $(BACKEND_COMMAND) > $(MALICIOUS_USER_OUT_PREFIX)proof-$*.out 2>&1) && echo "$* done") || (cat $(MALICIOUS_USER_OUT_PREFIX)proof-$*.out; echo "$* failed"; echo "$*" >> $(MALICIOUS_USER_OUT_PREFIX)failures; false)
+	@cat /proc/uptime | sed 's/\s.*//' >> $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp
+	@$(SCRIPT_DIR)/compute-duration.py $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp > $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration
+	@rm $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp
+	@touch $(MALICIOUS_USER_OUT_PREFIX)proof-$*.timestamp
+
+$(MALICIOUS_USER_OUT_PREFIX)proof-%.debugger: ${MALICIOUS_USER_DIR}/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
+	$(DIR_GUARD)
+	@echo "Debugging $*..."
+	@kprove $< --directory $(MALICIOUS_USER_DIR) --haskell-backend-command $(DEBUG_COMMAND)
+
+$(MALICIOUS_USER_OUT_PREFIX)execution.timestamp: $(MALICIOUS_USER_DIR)/malicious_user-execute.k $(MALICIOUS_USER_EXECUTION)
+	$(DIR_GUARD)
+	@echo "Compiling execution..."
+	@kompile $< --backend haskell --directory $(MALICIOUS_USER_DIR)
+	@touch $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
+
+malicious_user.clean:
+	-rm -r $(MALICIOUS_USER_DIR)/*-kompiled
+	-rm -r .kprove-*
+	-rm kore-*.tar.gz
+	-rm $(MALICIOUS_USER_OUT_PREFIX)*
diff --git a/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k b/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
new file mode 100644
index 000000000..348091a37
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
@@ -0,0 +1,55 @@
+module PROOF-CANNOT-PERFORM
+  imports MALICIOUS-USER-EXECUTION
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCallsFromUser(MaliciousAddress:Address) ~> K:K </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionId:Usize -> Action:Action,
+              .Map,
+              .List,
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers,
+              ?UserIdToAddress:Map,
+              ?AddressToUserId:Map,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              .List,
+              PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool maliciousInvariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            expand(expanded))
+    ensures true
+        andBool mapIncluded(AddressToUserId, ?AddressToUserId)
+        andBool mapIncluded(UserIdToAddress, ?UserIdToAddress)
+        andBool atMostOneSigner(?ActionSigners1)
+endmodule

From e0cb55817ee56da0f69f4b34bdded5c8ece703d0 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Mon, 12 Apr 2021 16:55:22 +0300
Subject: [PATCH 21/37] Invariant

---
 .../proof/malicious-user/Makefile             |  8 +--
 .../malicious-user/malicious-user-execute.k   | 35 ++++++++++
 .../proof/malicious-user/malicious-user.mak   |  8 +--
 .../malicious-user/proof-call-invariant.k     | 64 +++++++++++++++++++
 .../malicious-user/proof-cannot-perform.k     | 10 ++-
 5 files changed, 111 insertions(+), 14 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k

diff --git a/multisig/protocol-correctness/proof/malicious-user/Makefile b/multisig/protocol-correctness/proof/malicious-user/Makefile
index f5d0cb32a..6a16a293f 100644
--- a/multisig/protocol-correctness/proof/malicious-user/Makefile
+++ b/multisig/protocol-correctness/proof/malicious-user/Makefile
@@ -15,12 +15,12 @@ INVARIANT_DIR := ../invariant
 include $(INVARIANT_DIR)/invariant.mak
 
 MALICIOUS_USER_DIR := .
-include malicious_user.mak
+include malicious-user.mak
 
 .PHONY: all clean execution
 
-all: out/malicious_user.proof.timestamp
+all: out/malicious-user.proof.timestamp
 
-execution: out/malicious_user.execution.timestamp
+execution: out/malicious-user.execution.timestamp
 
-clean: malicious_user.clean
+clean: malicious-user.clean
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
index 053c3d957..1ca648cd8 100644
--- a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
@@ -5,6 +5,41 @@ module MALICIOUS-USER-EXECUTE-SYNTAX
   imports EXECUTION-PROOF-SYNTAX
 endmodule
 
+module MALICIOUS-USER-HELPERS
+
+  syntax KItem ::= runExternalCallsFromUser(Address, steps:Int)
+
+  rule runExternalCallsFromUser(A:Address, Steps:Int) => .K
+    requires Steps <=Int 0
+  rule runExternalCallsFromUser(A:Address, Steps:Int)
+      => runExternalCallFromUser(A) ~> runExternalCallsFromUser(A, Steps -Int 1)
+    requires Steps >Int 0
+
+  syntax KItem ::= runExternalCallFromUser(Address)
+
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeAddBoardMember(U:Usize))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeAddProposer(U:Usize))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeRemoveUser(U:Usize))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeChangeQuorum(Quorum:Usize))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSendEgld(To:Address, Amount:BigUint, Data:BoxedBytes))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSCDeploy(
+          Amount:BigUint,
+          Code:BoxedBytes,
+          Upgradeable:Bool,
+          Payable:Bool,
+          Readable:Bool,
+          Args:ExpressionList))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSCCall(
+          To:Address,
+          Amount:BigUint,
+          Function:BoxedBytes,
+          Args:ExpressionList))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run sign(A:ActionId))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run unsign(A:ActionId))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run performActionEndpoint(A:ActionId))
+  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run discardAction(A:ActionId))
+endmodule
+
 module MALICIOUS-USER-EXECUTE
   imports EXECUTION-PROOF
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
index 12bbc1407..635fc0bcd 100644
--- a/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
@@ -1,4 +1,4 @@
-MALICIOUS_USER_OUT_PREFIX=out/malicious_user.
+MALICIOUS_USER_OUT_PREFIX=out/malicious-user.
 
 MALICIOUS_USER_ALL := $(wildcard $(MALICIOUS_USER_DIR)/*.k)
 MALICIOUS_USER_PROOFS := $(wildcard $(MALICIOUS_USER_DIR)/proof-*.k)
@@ -7,7 +7,7 @@ MALICIOUS_USER_EXECUTION := $(filter-out $(MALICIOUS_USER_PROOFS), $(MALICIOUS_U
 MALICIOUS_USER_PROOF_TIMESTAMPS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.timestamp}))
 MALICIOUS_USER_PROOF_DEBUGGERS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.debugger}))
 
-.PHONY: malicious_user.clean ${MALICIOUS_USER_PROOF_DEBUGGERS}
+.PHONY: malicious-user.clean ${MALICIOUS_USER_PROOF_DEBUGGERS}
 
 $(MALICIOUS_USER_OUT_PREFIX)proof.timestamp: ${MALICIOUS_USER_PROOF_TIMESTAMPS}
 	$(DIR_GUARD)
@@ -28,13 +28,13 @@ $(MALICIOUS_USER_OUT_PREFIX)proof-%.debugger: ${MALICIOUS_USER_DIR}/proof-%.k $(
 	@echo "Debugging $*..."
 	@kprove $< --directory $(MALICIOUS_USER_DIR) --haskell-backend-command $(DEBUG_COMMAND)
 
-$(MALICIOUS_USER_OUT_PREFIX)execution.timestamp: $(MALICIOUS_USER_DIR)/malicious_user-execute.k $(MALICIOUS_USER_EXECUTION)
+$(MALICIOUS_USER_OUT_PREFIX)execution.timestamp: $(MALICIOUS_USER_DIR)/malicious-user-execute.k $(MALICIOUS_USER_EXECUTION)
 	$(DIR_GUARD)
 	@echo "Compiling execution..."
 	@kompile $< --backend haskell --directory $(MALICIOUS_USER_DIR)
 	@touch $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
 
-malicious_user.clean:
+malicious-user.clean:
 	-rm -r $(MALICIOUS_USER_DIR)/*-kompiled
 	-rm -r .kprove-*
 	-rm kore-*.tar.gz
diff --git a/multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k b/multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k
new file mode 100644
index 000000000..226d53c29
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k
@@ -0,0 +1,64 @@
+module PROOF-CALL-INVARIANT
+  imports MALICIOUS-USER-EXECUTE
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCallFromUser(MaliciousAddress:Address) ~> K:K </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              NumUsers,
+              ?UserIdToAddress:Map,
+              ?AddressToUserId:Map,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ?ActionLastIndex:Usize,
+              ?ActionData:Map,
+              ?ActionSigners:Map,
+              PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool maliciousInvariant(
+            MaliciousAddress,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+    ensures true
+        andBool maliciousInvariant(
+            MaliciousAddress,
+            NumUsers,
+            ?UserIdToAddress,
+            ?AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ?ActionLastIndex,
+            ?ActionData,
+            ?ActionSigners,
+            usesExpanded)
+endmodule
diff --git a/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k b/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
index 348091a37..ba45872f9 100644
--- a/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
+++ b/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
@@ -1,9 +1,9 @@
 module PROOF-CANNOT-PERFORM
-  imports MALICIOUS-USER-EXECUTION
+  imports MALICIOUS-USER-EXECUTE
   imports PSEUDOCODE
 
   claim <T><TT>
-          <k> runExternalCallsFromUser(MaliciousAddress:Address) ~> K:K </k>
+          <k> runExternalCallsFromUser(MaliciousAddress:Address, _Count:Int) ~> K:K </k>
           invariantState(
               NumUsers:Usize,
               UserIdToAddress:Map,
@@ -13,9 +13,8 @@ module PROOF-CANNOT-PERFORM
               UserRoles:Map,
               Quorum:Usize,
               ActionLastIndex0:Usize,
-              ActionId:Usize -> Action:Action,
-              .Map,
-              .List,
+              ActionId:Usize |-> Action:Action,
+              .Map,  // ActionSigners
               PerformedActions:List)
         </TT></T>
       =>
@@ -32,7 +31,6 @@ module PROOF-CANNOT-PERFORM
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
               ?ActionSigners1:Map,
-              .List,
               PerformedActions:List):StateCell
         </TT></T>
     requires true

From ac6f3108ef29123ee721274fcc86e4a3c708d684 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 13 Apr 2021 15:18:51 +0300
Subject: [PATCH 22/37] Fix merge errors

---
 .../proof/functions/proof-count-can-sign.k                  | 6 ++++--
 .../proof/functions/proof-discard-action-has-signers.k      | 6 ++++--
 .../proof/functions/proof-discard-action-no-role.k          | 6 ++++--
 .../functions/proof-discard-action-no-signers-no-action.k   | 6 ++++--
 .../proof/functions/proof-discard-action-no-signers.k       | 6 ++++--
 .../proof/functions/proof-discard-action-no-user.k          | 6 ++++--
 .../proof-discard-action-no-valid-signers-no-action.k       | 6 ++++--
 .../proof/functions/proof-discard-action-no-valid-signers.k | 6 ++++--
 .../proof/functions/proof-propose-action-error-no-role.k    | 6 ++++--
 .../proof/functions/proof-propose-action-error-no-user.k    | 6 ++++--
 .../proof/functions/proof-propose-sc-deploy-BoardMember.k   | 6 ++++--
 .../proof/functions/proof-propose-sc-deploy-Proposer.k      | 6 ++++--
 .../proof/functions/proof-propose-sc-deploy-error-no-role.k | 6 ++++--
 .../proof/functions/proof-propose-sc-deploy-error-no-user.k | 6 ++++--
 .../proof/functions/proof-propose-sc-deploy-fragment.k      | 6 ++++--
 .../proof/functions/proof-unsign-Proposer.k                 | 6 ++++--
 .../proof/functions/proof-unsign-no-action.k                | 6 ++++--
 .../proof/functions/proof-unsign-no-role.k                  | 6 ++++--
 .../proof/functions/proof-unsign-no-signers.k               | 6 ++++--
 .../proof/functions/proof-unsign-no-user.k                  | 6 ++++--
 .../proof/functions/proof-unsign-not-signed.k               | 6 ++++--
 .../proof/functions/proof-unsign-only-signer.k              | 6 ++++--
 .../proof/functions/proof-unsign-other-signers-first.k      | 6 ++++--
 .../proof/functions/proof-unsign-other-signers-not-first.k  | 6 ++++--
 24 files changed, 96 insertions(+), 48 deletions(-)

diff --git a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
index 4f1571d68..3a06ac732 100644
--- a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
@@ -23,7 +23,8 @@ module PROOF-COUNT-CAN-SIGN
               ActionSigners:Map,
               CallerAddress:Address,
               Stack:List,
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT> </T>
       => <T> <TT>
@@ -43,7 +44,8 @@ module PROOF-COUNT-CAN-SIGN
               ActionSigners,
               CallerAddress,
               Stack,
-              ?_Variables)
+              ?_Variables,
+              PerformedActions:List)
         </TT> </T>
     requires true
         andBool isKResult(SignerIds)
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
index 32b67b41f..d6ed3918c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
@@ -32,7 +32,8 @@ module PROOF-DISCARD-ACTION-HAS-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -55,7 +56,8 @@ module PROOF-DISCARD-ACTION-HAS-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
index 5e10ca599..bb487fde4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
@@ -25,7 +25,8 @@ module PROOF-DISCARD-ACTION-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-DISCARD-ACTION-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
index 213cdf6d2..4332ad9c0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
@@ -32,7 +32,8 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -55,7 +56,8 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
index 4c85853b6..3a12a11de 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
@@ -32,7 +32,8 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -55,7 +56,8 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
index 8cb87b3b2..b2c156929 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
@@ -25,7 +25,8 @@ module PROOF-DISCARD-ACTION-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-DISCARD-ACTION-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
index a5354cbc7..aec1251c2 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
@@ -34,7 +34,8 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -57,7 +58,8 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
index fb458c4a7..180cf9406 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
@@ -32,7 +32,8 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -55,7 +56,8 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
index f7b7a789e..fb0aba01f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
@@ -25,7 +25,8 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables:Map
+              ?_Variables:Map,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
index e4d43d05b..4cc44d411 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
@@ -25,7 +25,8 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -48,7 +49,8 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables:Map
+              ?_Variables:Map,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
index a24910eca..b1ea61449 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
@@ -44,7 +44,8 @@ module PROOF-PROPOSE-SC-DEPLOY-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -73,7 +74,8 @@ module PROOF-PROPOSE-SC-DEPLOY-BOARDMEMBER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
index 9c06e5a16..d867d6fd8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
@@ -44,7 +44,8 @@ module PROOF-PROPOSE-SC-DEPLOY-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -73,7 +74,8 @@ module PROOF-PROPOSE-SC-DEPLOY-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
index 8710903cb..28db4ddfe 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
@@ -44,7 +44,8 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -67,7 +68,8 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables:Map
+              ?_Variables:Map,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
index d77c69a98..a36af36cf 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
@@ -44,7 +44,8 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -67,7 +68,8 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables:Map
+              ?_Variables:Map,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
index a0309eaea..0224bbcbb 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
@@ -38,7 +38,8 @@ module PROOF-PROPOSE-SC-DEPLOY-FRAGMENT
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -65,7 +66,8 @@ module PROOF-PROPOSE-SC-DEPLOY-FRAGMENT
               //@ trusted
               // Stack:List,
               //@ end
-              code_metadata |-> codeMetadataFunction(Upgradeable, Payable, Readable)
+              code_metadata |-> codeMetadataFunction(Upgradeable, Payable, Readable),
+              PerformedActions:List
               )
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
index 665fbefc9..b88c509b8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-PROPOSER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
index 4f70de7b0..90c3df041 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-NO-ACTION
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
index 0fe8e0308..02e3177f0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-NO-ROLE
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
index 576483d08..44f4b30dd 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-NO-SIGNERS
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
index 450dbcbb2..62dd01923 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-NO-USER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
index bc8e0e27c..f016b9ee2 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-NOT-SIGNED
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-NOT-SIGNED
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
index 2981f1ec3..4c055a50d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-ONLY-SIGNER
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-ONLY-SIGNER
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
index 184f847b4..d023acd89 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-OTHER-SIGNERS-FIRST
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-OTHER-SIGNERS-FIRST
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
index 3cf98804e..478dfe9cd 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
@@ -26,7 +26,8 @@ module PROOF-UNSIGN-OTHER-SIGNERS-NOT-FIRST
               //@ trusted
               // Stack:List,
               //@ end
-              .Map
+              .Map,
+              PerformedActions:List
               )
         </TT></T>
       =>
@@ -49,7 +50,8 @@ module PROOF-UNSIGN-OTHER-SIGNERS-NOT-FIRST
               //@ trusted
               // Stack:List,
               //@ end
-              ?_Variables
+              ?_Variables,
+              PerformedActions:List
               ):StateCell
         </TT></T>
     requires true

From 3a2db25a57ff9081eee7e46f51f1a99ebaddeca6 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 13 Apr 2021 02:53:04 +0300
Subject: [PATCH 23/37] Perform proofs

---
 multisig/kompile_tool/BUILD                   |  17 +-
 multisig/kompile_tool/kast.kscript            |  18 ++
 multisig/kompile_tool/kdebug.sh               |  49 +++++
 multisig/proof.bzl                            | 191 +++++++++++++++++-
 .../proof/functions/BUILD                     | 171 +++++++++++++++-
 .../functions/proof-change-user-role-New.k    |   2 +-
 ...form-action-add-board-member-BoardMember.k |  78 +++++++
 ...roof-perform-action-add-board-member-New.k |  85 ++++++++
 ...oof-perform-action-add-board-member-None.k |  80 ++++++++
 ...perform-action-add-board-member-Proposer.k |  78 +++++++
 ...ction-add-proposer-BoardMember-no-quorum.k |  80 ++++++++
 ...-perform-action-add-proposer-BoardMember.k |  80 ++++++++
 .../proof-perform-action-add-proposer-New.k   |  86 ++++++++
 .../proof-perform-action-add-proposer-None.k  |  81 ++++++++
 ...oof-perform-action-add-proposer-Proposer.k |  79 ++++++++
 ...f-perform-action-change-quorum-no-quorum.k |  75 +++++++
 .../proof-perform-action-change-quorum.k      |  75 +++++++
 .../functions/proof-perform-action-nothing.k  |  70 +++++++
 ...m-action-remove-user-BoardMember-too-few.k |  83 ++++++++
 ...f-perform-action-remove-user-BoardMember.k |  81 ++++++++
 .../proof-perform-action-remove-user-New.k    |  86 ++++++++
 .../proof-perform-action-remove-user-None.k   |  82 ++++++++
 ...-action-remove-user-Proposer-nobody-left.k |  81 ++++++++
 ...roof-perform-action-remove-user-Proposer.k |  81 ++++++++
 .../functions/proof-perform-action-sc-call.k  |  77 +++++++
 .../proof-perform-action-sc-deploy.k          |  77 +++++++
 .../proof-perform-action-send-egld.k          |  76 +++++++
 27 files changed, 2106 insertions(+), 13 deletions(-)
 create mode 100644 multisig/kompile_tool/kast.kscript
 create mode 100755 multisig/kompile_tool/kdebug.sh
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k

diff --git a/multisig/kompile_tool/BUILD b/multisig/kompile_tool/BUILD
index fd3cc088d..0ad149dd4 100644
--- a/multisig/kompile_tool/BUILD
+++ b/multisig/kompile_tool/BUILD
@@ -22,6 +22,14 @@ sh_binary(
   visibility = ["//visibility:public"],
 )
 
+sh_binary(
+  name = "kdebug_tool",
+  srcs = ["kdebug.sh"],
+  deps = [":k_release", ":kast_script"],  # TODO: Use either deps or data.
+  data = [":k_release", ":kast_script"],
+  visibility = ["//visibility:public"],
+)
+
 sh_binary(
   name = "ktrusted_tool",
   srcs = ["make-trusted.py"],
@@ -37,4 +45,11 @@ sh_binary(
 sh_library(
   name = "k_release",
   data = glob(["k/**"]),
-)
\ No newline at end of file
+  visibility = ["//visibility:public"],
+)
+
+sh_library(
+  name = "kast_script",
+  srcs = ["kast.kscript"],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/kompile_tool/kast.kscript b/multisig/kompile_tool/kast.kscript
new file mode 100644
index 000000000..e337c2470
--- /dev/null
+++ b/multisig/kompile_tool/kast.kscript
@@ -0,0 +1,18 @@
+alias kclaim = claim | kast -i kore -o pretty -d . /dev/stdin
+alias kclaim-d x = claim | kast -i kore -o pretty -d x /dev/stdin
+alias kclaim-n x = claim x | kast -i kore -o pretty -d . /dev/stdin
+alias kclaim-nd x y = claim x | kast -i kore -o pretty -d y /dev/stdin
+alias kaxiom x = axiom x | kast -i kore -o pretty -d . /dev/stdin
+alias kaxiom-d x y = axiom x | kast -i kore -o pretty -d y /dev/stdin
+alias konfig = config | kast -i kore -o pretty -d . /dev/stdin
+alias konfig-d x = config | kast -i kore -o pretty -d x /dev/stdin
+alias konfig-n x = config x | kast -i kore -o pretty -d . /dev/stdin
+alias konfig-nd x y = config x | kast -i kore -o pretty -d y /dev/stdin
+alias ktry x = try x | kast -i kore -o pretty -d . /dev/stdin
+alias ktry-d x y = try x | kast -i kore -o pretty -d y /dev/stdin
+alias ktryf x = tryf x | kast -i kore -o pretty -d . /dev/stdin
+alias ktryf-d x y = tryf x | kast -i kore -o pretty -d y /dev/stdin
+alias krule = rule | kast -i kore -o pretty -d . /dev/stdin
+alias krule-d x = rule | kast -i kore -o pretty -d x /dev/stdin
+alias krule-n x = rule x | kast -i kore -o pretty -d . /dev/stdin
+alias krule-nd x y = rule x | kast -i kore -o pretty -d y /dev/stdin
diff --git a/multisig/kompile_tool/kdebug.sh b/multisig/kompile_tool/kdebug.sh
new file mode 100755
index 000000000..355bedb02
--- /dev/null
+++ b/multisig/kompile_tool/kdebug.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+set -e -x
+
+echo "$@"
+
+PARENT_DIR=`dirname $0`
+
+KOMPILE_DIR=`dirname $1`
+shift
+
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf -- "$TMP_DIR"' EXIT
+
+ORIGINAL_FILE=$1
+shift
+
+PROOF_FILE=$1
+shift
+
+MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
+
+cp -rL $KOMPILE_DIR $TMP_DIR
+chmod -R a+w $TMP_DIR/*
+ls -a $TMP_DIR
+
+KOMPILE_TOOL_DIR=kompile_tool
+
+KPROVE=$KOMPILE_TOOL_DIR/k/bin/kprove
+REPL_SCRIPT=$KOMPILE_TOOL_DIR/kast.kscript
+
+BACKEND_COMMAND="kore-exec"
+if [ $# -eq 0 ]; then
+  BACKEND_COMMAND="kore-exec"
+else
+  if [ "$1" == "--debug" ]; then
+    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
+  else
+    echo "Unknown argument: '$1'"
+    exit 1
+  fi
+fi
+
+$KPROVE \
+  --haskell-backend-command "$BACKEND_COMMAND --smt-timeout 4000" \
+  --directory "$TMP_DIR" \
+  --spec-module "$MODULE_NAME" \
+  "$PROOF_FILE"
+# -I `pwd`
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index d38860a3a..f3a375e73 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -125,20 +125,37 @@ ktrusted = rule(
     },
 )
 
+def _merge_trusted(input_file, trusted_attr, kmerge, actions, merged_file):
+  all_trusted = []
+  for dep in trusted_attr:
+    all_trusted += [dep[KtrustedInfo].trusted]
+  actions.run(
+      inputs=depset([input_file] + all_trusted),
+      outputs=[merged_file],
+      arguments=[merged_file.path] + [s.path for s in all_trusted] + [input_file.path],
+      progress_message="Preparing %s" % input_file.path,
+      executable=kmerge)
+
 def _kprove_impl(ctx):
   if len(ctx.files.srcs) != 1:
     fail
   merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
 
-  all_trusted = []
-  for dep in ctx.attr.trusted:
-    all_trusted += [dep[KtrustedInfo].trusted]
-  ctx.actions.run(
-      inputs=depset(ctx.files.srcs + all_trusted),
-      outputs=[merged_file],
-      arguments=[merged_file.path] + [s.path for s in (ctx.files.srcs + all_trusted)],
-      progress_message="Preparing %s" % ctx.files.srcs[0].path,
-      executable=ctx.executable.kmerge_tool)
+  _merge_trusted(
+      ctx.files.srcs[0],
+      ctx.attr.trusted,
+      ctx.executable.kmerge_tool,
+      ctx.actions,
+      merged_file)
+  # all_trusted = []
+  # for dep in ctx.attr.trusted:
+  #   all_trusted += [dep[KtrustedInfo].trusted]
+  # ctx.actions.run(
+  #     inputs=depset(ctx.files.srcs + all_trusted),
+  #     outputs=[merged_file],
+  #     arguments=[merged_file.path] + [s.path for s in (ctx.files.srcs + all_trusted)],
+  #     progress_message="Preparing %s" % ctx.files.srcs[0].path,
+  #     executable=ctx.executable.kmerge_tool)
 
   output_file = ctx.actions.declare_file(ctx.label.name + '-proved-xyzzy')
   tmp_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled-xyzzy')
@@ -146,7 +163,11 @@ def _kprove_impl(ctx):
   ctx.actions.run(
       inputs=depset([merged_file] + ctx.attr.semantics[KompileInfo].files),
       outputs=[output_file, tmp_dir],
-      arguments=[output_file.path, ctx.attr.semantics[KompileInfo].files[0].path, tmp_dir.path, merged_file.path],
+      arguments=[
+          output_file.path,
+          ctx.attr.semantics[KompileInfo].files[0].path,
+          tmp_dir.path,
+          merged_file.path],
       progress_message="Proving %s" % ctx.files.srcs[0].path,
       executable=ctx.executable.kprove_tool)
   return [
@@ -176,6 +197,156 @@ kprove = rule(
     },
 )
 
+
+
+def _kprove_test_impl(ctx):
+  if len(ctx.files.srcs) != 1:
+    fail
+  merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
+
+  _merge_trusted(
+      ctx.files.srcs[0],
+      ctx.attr.trusted,
+      ctx.executable.kmerge_tool,
+      ctx.actions,
+      merged_file)
+
+  output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+  script_lines = [
+      "#!/usr/bin/env bash",
+      "ls",
+      "ls protocol-correctness",
+      "ls -l kompile_tool",
+      "ls protocol-correctness/proof",
+      "echo ------------",
+      "ls protocol-correctness/proof/functions",
+      "",
+      "echo '*****************'",
+      "kompile_tool/kdebug_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
+      "echo '*****************'",
+  ]
+  ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
+  runfiles = ctx.runfiles(
+      [merged_file, ctx.executable.kdebug_tool]
+      + ctx.attr.semantics[KompileInfo].files
+      + ctx.attr.k_distribution[DefaultInfo].files.to_list()
+      + ctx.attr.debug_script[DefaultInfo].files.to_list()
+  )
+  return [
+      DefaultInfo(
+          runfiles = runfiles,
+          executable = output_file,
+      )
+  ]
+
+kprove_test = rule(
+    implementation = _kprove_test_impl,
+    attrs = {
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
+        "kdebug_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kdebug_tool"),
+        ),
+        "kmerge_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kmerge_tool"),
+        ),
+        "k_distribution": attr.label(
+            executable = False,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:k_release"),
+        ),
+        "debug_script": attr.label(
+            executable = False,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kast_script"),
+        ),
+    },
+    test = True,
+)
+
+def _kdebug_impl(ctx):
+  if len(ctx.files.srcs) != 1:
+    fail
+  merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
+
+  _merge_trusted(
+      ctx.files.srcs[0],
+      ctx.attr.trusted,
+      ctx.executable.kmerge_tool,
+      ctx.actions,
+      merged_file)
+
+  output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+  script_lines = [
+      "#!/usr/bin/env bash",
+      "ls",
+      "ls protocol-correctness",
+      "ls -l kompile_tool",
+      "ls protocol-correctness/proof",
+      "echo ------------",
+      "ls protocol-correctness/proof/functions",
+      "",
+      "echo '*****************'",
+      "kompile_tool/kdebug_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
+      "echo '*****************'",
+  ]
+  ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
+  runfiles = ctx.runfiles(
+      [merged_file, ctx.executable.kdebug_tool]
+      + ctx.attr.semantics[KompileInfo].files
+      + ctx.attr.k_distribution[DefaultInfo].files.to_list()
+      + ctx.attr.debug_script[DefaultInfo].files.to_list()
+  )
+  return [
+      DefaultInfo(
+          runfiles = runfiles,
+          executable = output_file,
+      )
+  ]
+
+kdebug = rule(
+    implementation = _kdebug_impl,
+    attrs = {
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
+        "kdebug_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kdebug_tool"),
+        ),
+        "kmerge_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kmerge_tool"),
+        ),
+        "k_distribution": attr.label(
+            executable = False,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:k_release"),
+        ),
+        "debug_script": attr.label(
+            executable = False,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kast_script"),
+        ),
+    },
+    executable = True,
+)
+
 # # Given executable_file and runfile_file:
 # runfiles_root = executable_file.path + ".runfiles"
 # workspace_name = ctx.workspace_name
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 923e28440..a6915f0b5 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -1,4 +1,4 @@
-load("//:proof.bzl", "kompile", "kprove", "ktrusted")
+load("//:proof.bzl", "kompile", "kprove", "ktrusted", "kdebug", "kprove_test")
 
 kompile(
   name = "functions-execute",
@@ -9,6 +9,154 @@ kompile(
   ],
 )
 
+kprove_test(
+  name = "proof-perform-action-remove-user-BoardMember",
+  srcs = ["proof-perform-action-remove-user-BoardMember.k"],
+  trusted = [":trusted-change-user-role-BoardMember"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
+  trusted = [":trusted-change-user-role-BoardMember"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-remove-user-Proposer-nobody-left.k"],
+  trusted = [":trusted-change-user-role-Proposer"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-remove-user-Proposer",
+  srcs = ["proof-perform-action-remove-user-Proposer.k"],
+  trusted = [":trusted-change-user-role-Proposer"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-remove-user-None",
+  srcs = ["proof-perform-action-remove-user-None.k"],
+  trusted = [":trusted-change-user-role-None"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-remove-user-New",
+  srcs = ["proof-perform-action-remove-user-New.k"],
+  trusted = [":trusted-change-user-role-New"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-change-quorum",
+  srcs = ["proof-perform-action-change-quorum.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-change-quorum-no-quorum.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-add-proposer-BoardMember-no-quorum.k"],
+  trusted = [":trusted-change-user-role-BoardMember"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-add-proposer-BoardMember.k"],
+  trusted = [":trusted-change-user-role-BoardMember"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-proposer-Proposer",
+  srcs = ["proof-perform-action-add-proposer-Proposer.k"],
+  trusted = [":trusted-change-user-role-Proposer"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-proposer-New",
+  srcs = ["proof-perform-action-add-proposer-New.k"],
+  trusted = [":trusted-change-user-role-New"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-proposer-None",
+  srcs = ["proof-perform-action-add-proposer-None.k"],
+  trusted = [":trusted-change-user-role-None"],
+  semantics = ":functions-execute",
+)
+
+kdebug(
+  name = "proof-perform-action-add-board-member-None-debug",
+  srcs = ["proof-perform-action-add-board-member-None.k"],
+  trusted = [":trusted-change-user-role-None"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-board-member-New",
+  srcs = ["proof-perform-action-add-board-member-New.k"],
+  trusted = [":trusted-change-user-role-New"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-add-board-member-BoardMember.k"],
+  trusted = [":trusted-change-user-role-BoardMember"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-board-member-Proposer",
+  srcs = ["proof-perform-action-add-board-member-Proposer.k"],
+  trusted = [":trusted-change-user-role-Proposer"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-add-board-member-None",
+  srcs = ["proof-perform-action-add-board-member-None.k"],
+  trusted = [":trusted-change-user-role-None"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-send-egld",
+  srcs = ["proof-perform-action-send-egld.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-sc-call",
+  srcs = ["proof-perform-action-sc-call.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-sc-deploy",
+  srcs = ["proof-perform-action-sc-deploy.k"],
+  semantics = ":functions-execute",
+)
+
+kprove(
+  name = "proof-perform-action-nothing",
+  srcs = ["proof-perform-action-nothing.k"],
+  semantics = ":functions-execute",
+)
+
 kprove(
   name = "proof-change-user-role-BoardMember",
   srcs = ["proof-change-user-role-BoardMember.k"],
@@ -281,3 +429,24 @@ ktrusted(
   name = "trusted-propose-sc-deploy-fragment",
   srcs = ["proof-propose-sc-deploy-fragment.k"],
 )
+
+ktrusted(
+  name = "trusted-change-user-role-BoardMember",
+  srcs = ["proof-change-user-role-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-change-user-role-New",
+  srcs = ["proof-change-user-role-New.k"],
+)
+
+ktrusted(
+  name = "trusted-change-user-role-None",
+  srcs = ["proof-change-user-role-None.k"],
+)
+
+ktrusted(
+  name = "trusted-change-user-role-Proposer",
+  srcs = ["proof-change-user-role-Proposer.k"],
+)
+
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
index 21f12ba04..ad53de6cc 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
@@ -56,7 +56,7 @@ module PROOF-CHANGE-USER-ROLE-NEW
     requires true
       andBool NumUsers >=Int 0
       // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
-      // someting to map values to keys.
+      // something to map values to keys.
       andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
       andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
new file mode 100644
index 000000000..9e1365cc0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
@@ -0,0 +1,78 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
new file mode 100644
index 000000000..df32b4a54
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
@@ -0,0 +1,85 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
new file mode 100644
index 000000000..5dbfe9b57
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
@@ -0,0 +1,80 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
new file mode 100644
index 000000000..751b326be
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
@@ -0,0 +1,78 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
new file mode 100644
index 000000000..0c28be09a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
@@ -0,0 +1,80 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum ==Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
new file mode 100644
index 000000000..891b57e9d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
@@ -0,0 +1,80 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum <=Int NumBoardMembers -Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
new file mode 100644
index 000000000..e30b08f1e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
@@ -0,0 +1,86 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-PROPOSER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
new file mode 100644
index 000000000..51c827238
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
@@ -0,0 +1,81 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-PROPOSER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
new file mode 100644
index 000000000..f723a06cd
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
@@ -0,0 +1,79 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
new file mode 100644
index 000000000..5d83be627
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
@@ -0,0 +1,75 @@
+//@ proof
+module PROOF-PERFORM-ACTION-CHANGE-QUORUM-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-CHANGE-QUORUM-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>OldQuorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>OldQuorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum >Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
new file mode 100644
index 000000000..c69da7b2c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
@@ -0,0 +1,75 @@
+//@ proof
+module PROOF-PERFORM-ACTION-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-CHANGE-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>_OldQuorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(NewQuorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
new file mode 100644
index 000000000..4520ce641
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
@@ -0,0 +1,70 @@
+//@ proof
+module PROOF-PERFORM-ACTION-NOTHING
+//@ trusted
+// module TRUSTED-PERFORM-NOTHING
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(Nothing:Action)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+    ensures true
+  //@ proof
+  //@ trusted
+  // [trusted]
+  //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
new file mode 100644
index 000000000..512e29b8b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
@@ -0,0 +1,83 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool (false
+          orBool NumBoardMembers +Int NumProposers ==Int 1
+          orBool Quorum ==Int NumBoardMembers
+      )
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
new file mode 100644
index 000000000..99601846e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
@@ -0,0 +1,81 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+      andBool Quorum <=Int NumBoardMembers -Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
new file mode 100644
index 000000000..6b39f92ca
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
@@ -0,0 +1,86 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // something to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+      andBool NumBoardMembers +Int NumProposers >Int 0
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool (UserAddress in_keys(AddressToUserId))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
new file mode 100644
index 000000000..6eec392d9
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
@@ -0,0 +1,82 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool NumBoardMembers +Int NumProposers >Int 0
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool (u(UserId) in_keys(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
new file mode 100644
index 000000000..b3a335880
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
@@ -0,0 +1,81 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool NumBoardMembers +Int NumProposers ==Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
new file mode 100644
index 000000000..899d8c884
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
@@ -0,0 +1,81 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  RemoveUser(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
new file mode 100644
index 000000000..3493e51e1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
@@ -0,0 +1,77 @@
+//@ proof
+module PROOF-PERFORM-ACTION-SC-CALL
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-SC-CALL
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(SCCall(
+                _To:Address,
+                _Amount:BigUint,
+                _Function:BoxedBytes,
+                _Arguments:ExpressionList) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
new file mode 100644
index 000000000..2dfdbc695
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
@@ -0,0 +1,77 @@
+//@ proof
+module PROOF-PERFORM-ACTION-SC-DEPLOY
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-SC-DEPLOY
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(SCDeploy(
+                _Amount:BigUint,
+                _Code:BoxedBytes,
+                _CodeMetadata:CodeMetadata,
+                _Arguments:ExpressionList) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k
new file mode 100644
index 000000000..0825fa94c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k
@@ -0,0 +1,76 @@
+//@ proof
+module PROOF-PERFORM-ACTION-SEND-EGLD
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-SEND-EGLD
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(SendEgld(
+                  _To:Address,
+                  _Amount:BigUint,
+                  _Data:BoxedBytes) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              ActionState:ActionStateCell
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:List</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              ActionState
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file

From 2733131826c9d3195e6c7cac61d5ae5d047fe184 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 13 Apr 2021 14:28:31 +0300
Subject: [PATCH 24/37] Convert proofs to tests

---
 multisig/kompile_tool/BUILD                   |   8 -
 multisig/kompile_tool/kdebug.sh               |  49 -----
 multisig/kompile_tool/kprove.sh               |  38 +++-
 multisig/proof.bzl                            | 162 +---------------
 .../proof/functions/BUILD                     | 181 +++++++++++-------
 5 files changed, 151 insertions(+), 287 deletions(-)
 delete mode 100755 multisig/kompile_tool/kdebug.sh

diff --git a/multisig/kompile_tool/BUILD b/multisig/kompile_tool/BUILD
index 0ad149dd4..35a835f2c 100644
--- a/multisig/kompile_tool/BUILD
+++ b/multisig/kompile_tool/BUILD
@@ -22,14 +22,6 @@ sh_binary(
   visibility = ["//visibility:public"],
 )
 
-sh_binary(
-  name = "kdebug_tool",
-  srcs = ["kdebug.sh"],
-  deps = [":k_release", ":kast_script"],  # TODO: Use either deps or data.
-  data = [":k_release", ":kast_script"],
-  visibility = ["//visibility:public"],
-)
-
 sh_binary(
   name = "ktrusted_tool",
   srcs = ["make-trusted.py"],
diff --git a/multisig/kompile_tool/kdebug.sh b/multisig/kompile_tool/kdebug.sh
deleted file mode 100755
index 355bedb02..000000000
--- a/multisig/kompile_tool/kdebug.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -x
-
-echo "$@"
-
-PARENT_DIR=`dirname $0`
-
-KOMPILE_DIR=`dirname $1`
-shift
-
-TMP_DIR=$(mktemp -d)
-trap 'rm -rf -- "$TMP_DIR"' EXIT
-
-ORIGINAL_FILE=$1
-shift
-
-PROOF_FILE=$1
-shift
-
-MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
-
-cp -rL $KOMPILE_DIR $TMP_DIR
-chmod -R a+w $TMP_DIR/*
-ls -a $TMP_DIR
-
-KOMPILE_TOOL_DIR=kompile_tool
-
-KPROVE=$KOMPILE_TOOL_DIR/k/bin/kprove
-REPL_SCRIPT=$KOMPILE_TOOL_DIR/kast.kscript
-
-BACKEND_COMMAND="kore-exec"
-if [ $# -eq 0 ]; then
-  BACKEND_COMMAND="kore-exec"
-else
-  if [ "$1" == "--debug" ]; then
-    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
-  else
-    echo "Unknown argument: '$1'"
-    exit 1
-  fi
-fi
-
-$KPROVE \
-  --haskell-backend-command "$BACKEND_COMMAND --smt-timeout 4000" \
-  --directory "$TMP_DIR" \
-  --spec-module "$MODULE_NAME" \
-  "$PROOF_FILE"
-# -I `pwd`
diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
index 250af0272..fcd25249c 100755
--- a/multisig/kompile_tool/kprove.sh
+++ b/multisig/kompile_tool/kprove.sh
@@ -3,19 +3,43 @@
 set -e
 
 PARENT_DIR=`dirname $0`
-OUTPUT=$1
-shift
 
 KOMPILE_DIR=`dirname $1`
 shift
 
-TMP_DIR=$1
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf -- "$TMP_DIR"' EXIT
+
+ORIGINAL_FILE=$1
+shift
+
+PROOF_FILE=$1
 shift
 
+MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
+
 cp -rL $KOMPILE_DIR $TMP_DIR
 chmod -R a+w $TMP_DIR/*
 
-KPROVE=$PARENT_DIR/kprove_tool.runfiles/__main__/kompile_tool/k/bin/kprove
-$KPROVE --haskell-backend-command "kore-exec --smt-timeout 4000" --directory "$TMP_DIR" "$@"
-# -I `pwd`
-touch $OUTPUT
+KOMPILE_TOOL_DIR=kompile_tool
+
+KPROVE=$KOMPILE_TOOL_DIR/k/bin/kprove
+REPL_SCRIPT=$KOMPILE_TOOL_DIR/kast.kscript
+
+BACKEND_COMMAND="kore-exec"
+if [ $# -eq 0 ]; then
+  BACKEND_COMMAND="kore-exec"
+else
+  if [ "$1" == "--debug" ]; then
+    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
+  else
+    echo "Unknown argument: '$1'"
+    exit 1
+  fi
+fi
+
+$KPROVE \
+  --haskell-backend-command "$BACKEND_COMMAND --smt-timeout 4000" \
+  --directory "$TMP_DIR" \
+  --spec-module "$MODULE_NAME" \
+  "$PROOF_FILE"
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index f3a375e73..e5d7d5b65 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -136,69 +136,6 @@ def _merge_trusted(input_file, trusted_attr, kmerge, actions, merged_file):
       progress_message="Preparing %s" % input_file.path,
       executable=kmerge)
 
-def _kprove_impl(ctx):
-  if len(ctx.files.srcs) != 1:
-    fail
-  merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
-
-  _merge_trusted(
-      ctx.files.srcs[0],
-      ctx.attr.trusted,
-      ctx.executable.kmerge_tool,
-      ctx.actions,
-      merged_file)
-  # all_trusted = []
-  # for dep in ctx.attr.trusted:
-  #   all_trusted += [dep[KtrustedInfo].trusted]
-  # ctx.actions.run(
-  #     inputs=depset(ctx.files.srcs + all_trusted),
-  #     outputs=[merged_file],
-  #     arguments=[merged_file.path] + [s.path for s in (ctx.files.srcs + all_trusted)],
-  #     progress_message="Preparing %s" % ctx.files.srcs[0].path,
-  #     executable=ctx.executable.kmerge_tool)
-
-  output_file = ctx.actions.declare_file(ctx.label.name + '-proved-xyzzy')
-  tmp_dir = ctx.actions.declare_directory(ctx.label.name + '-kompiled-xyzzy')
-  # TODO: Make this work if the file name is not based on the target name.
-  ctx.actions.run(
-      inputs=depset([merged_file] + ctx.attr.semantics[KompileInfo].files),
-      outputs=[output_file, tmp_dir],
-      arguments=[
-          output_file.path,
-          ctx.attr.semantics[KompileInfo].files[0].path,
-          tmp_dir.path,
-          merged_file.path],
-      progress_message="Proving %s" % ctx.files.srcs[0].path,
-      executable=ctx.executable.kprove_tool)
-  return [
-      DefaultInfo(
-          files = depset([ output_file ]),
-      )
-  ]
-
-kprove = rule(
-    implementation = _kprove_impl,
-    attrs = {
-        "srcs": attr.label_list(allow_files = [".k"]),
-        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
-        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
-        "kprove_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kprove_tool"),
-        ),
-        "kmerge_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kmerge_tool"),
-        ),
-    },
-)
-
-
-
 def _kprove_test_impl(ctx):
   if len(ctx.files.srcs) != 1:
     fail
@@ -214,20 +151,12 @@ def _kprove_test_impl(ctx):
   output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
   script_lines = [
       "#!/usr/bin/env bash",
-      "ls",
-      "ls protocol-correctness",
-      "ls -l kompile_tool",
-      "ls protocol-correctness/proof",
-      "echo ------------",
-      "ls protocol-correctness/proof/functions",
       "",
-      "echo '*****************'",
-      "kompile_tool/kdebug_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
-      "echo '*****************'",
+      "kompile_tool/kprove_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
   ]
   ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
   runfiles = ctx.runfiles(
-      [merged_file, ctx.executable.kdebug_tool]
+      [merged_file, ctx.executable.kprove_tool]
       + ctx.attr.semantics[KompileInfo].files
       + ctx.attr.k_distribution[DefaultInfo].files.to_list()
       + ctx.attr.debug_script[DefaultInfo].files.to_list()
@@ -245,11 +174,11 @@ kprove_test = rule(
         "srcs": attr.label_list(allow_files = [".k"]),
         "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
         "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
-        "kdebug_tool": attr.label(
+        "kprove_tool": attr.label(
             executable = True,
             cfg = "exec",
             allow_files = True,
-            default = Label("//kompile_tool:kdebug_tool"),
+            default = Label("//kompile_tool:kprove_tool"),
         ),
         "kmerge_tool": attr.label(
             executable = True,
@@ -272,86 +201,3 @@ kprove_test = rule(
     },
     test = True,
 )
-
-def _kdebug_impl(ctx):
-  if len(ctx.files.srcs) != 1:
-    fail
-  merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
-
-  _merge_trusted(
-      ctx.files.srcs[0],
-      ctx.attr.trusted,
-      ctx.executable.kmerge_tool,
-      ctx.actions,
-      merged_file)
-
-  output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
-  script_lines = [
-      "#!/usr/bin/env bash",
-      "ls",
-      "ls protocol-correctness",
-      "ls -l kompile_tool",
-      "ls protocol-correctness/proof",
-      "echo ------------",
-      "ls protocol-correctness/proof/functions",
-      "",
-      "echo '*****************'",
-      "kompile_tool/kdebug_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
-      "echo '*****************'",
-  ]
-  ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
-  runfiles = ctx.runfiles(
-      [merged_file, ctx.executable.kdebug_tool]
-      + ctx.attr.semantics[KompileInfo].files
-      + ctx.attr.k_distribution[DefaultInfo].files.to_list()
-      + ctx.attr.debug_script[DefaultInfo].files.to_list()
-  )
-  return [
-      DefaultInfo(
-          runfiles = runfiles,
-          executable = output_file,
-      )
-  ]
-
-kdebug = rule(
-    implementation = _kdebug_impl,
-    attrs = {
-        "srcs": attr.label_list(allow_files = [".k"]),
-        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
-        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
-        "kdebug_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kdebug_tool"),
-        ),
-        "kmerge_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kmerge_tool"),
-        ),
-        "k_distribution": attr.label(
-            executable = False,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:k_release"),
-        ),
-        "debug_script": attr.label(
-            executable = False,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kast_script"),
-        ),
-    },
-    executable = True,
-)
-
-# # Given executable_file and runfile_file:
-# runfiles_root = executable_file.path + ".runfiles"
-# workspace_name = ctx.workspace_name
-# runfile_path = runfile_file.short_path
-# execution_root_relative_path = "%s/%s/%s" % (
-#     runfiles_root, workspace_name, runfile_path)
-
-#Args.add_all
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index a6915f0b5..ae572bbdc 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -1,4 +1,4 @@
-load("//:proof.bzl", "kompile", "kprove", "ktrusted", "kdebug", "kprove_test")
+load("//:proof.bzl", "kompile", "kprove_test", "ktrusted")
 
 kompile(
   name = "functions-execute",
@@ -14,251 +14,281 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-remove-user-BoardMember-too-few",
   srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-remove-user-Proposer-nobody-left",
   srcs = ["proof-perform-action-remove-user-Proposer-nobody-left.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-remove-user-Proposer",
   srcs = ["proof-perform-action-remove-user-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-remove-user-None",
   srcs = ["proof-perform-action-remove-user-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-remove-user-New",
   srcs = ["proof-perform-action-remove-user-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-change-quorum",
   srcs = ["proof-perform-action-change-quorum.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-change-quorum-no-quorum",
   srcs = ["proof-perform-action-change-quorum-no-quorum.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-proposer-BoardMember-no-quorum",
   srcs = ["proof-perform-action-add-proposer-BoardMember-no-quorum.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-proposer-BoardMember",
   srcs = ["proof-perform-action-add-proposer-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-proposer-Proposer",
   srcs = ["proof-perform-action-add-proposer-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-proposer-New",
   srcs = ["proof-perform-action-add-proposer-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-proposer-None",
   srcs = ["proof-perform-action-add-proposer-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kdebug(
-  name = "proof-perform-action-add-board-member-None-debug",
-  srcs = ["proof-perform-action-add-board-member-None.k"],
-  trusted = [":trusted-change-user-role-None"],
-  semantics = ":functions-execute",
-)
-
-kprove(
+kprove_test(
   name = "proof-perform-action-add-board-member-New",
   srcs = ["proof-perform-action-add-board-member-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-board-member-BoardMember",
   srcs = ["proof-perform-action-add-board-member-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-board-member-Proposer",
   srcs = ["proof-perform-action-add-board-member-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-add-board-member-None",
   srcs = ["proof-perform-action-add-board-member-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-send-egld",
   srcs = ["proof-perform-action-send-egld.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-sc-call",
   srcs = ["proof-perform-action-sc-call.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-sc-deploy",
   srcs = ["proof-perform-action-sc-deploy.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-perform-action-nothing",
   srcs = ["proof-perform-action-nothing.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-change-user-role-BoardMember",
   srcs = ["proof-change-user-role-BoardMember.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-change-user-role-New",
   srcs = ["proof-change-user-role-New.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-change-user-role-None",
   srcs = ["proof-change-user-role-None.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-change-user-role-Proposer",
   srcs = ["proof-change-user-role-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-count-can-sign",
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-has-signers",
   srcs = ["proof-discard-action-has-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-role",
   srcs = ["proof-discard-action-no-role.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-signers-no-action",
   srcs = ["proof-discard-action-no-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-signers",
   srcs = ["proof-discard-action-no-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-user",
   srcs = ["proof-discard-action-no-user.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-valid-signers-no-action",
   srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-discard-action-no-valid-signers",
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-action-BoardMember",
   srcs = ["proof-propose-action-BoardMember.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-action-error-no-role",
   srcs = ["proof-propose-action-error-no-role.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-action-error-no-user",
   srcs = ["proof-propose-action-error-no-user.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-action-Proposer",
   srcs = ["proof-propose-action-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-sc-deploy-BoardMember",
   srcs = ["proof-propose-sc-deploy-BoardMember.k"],
   trusted = [
@@ -266,9 +296,10 @@ kprove(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-sc-deploy-error-no-role",
   srcs = ["proof-propose-sc-deploy-error-no-role.k"],
   trusted = [
@@ -276,9 +307,10 @@ kprove(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-sc-deploy-error-no-user",
   srcs = ["proof-propose-sc-deploy-error-no-user.k"],
   trusted = [
@@ -286,15 +318,17 @@ kprove(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-sc-deploy-fragment",
   srcs = ["proof-propose-sc-deploy-fragment.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-propose-sc-deploy-Proposer",
   srcs = ["proof-propose-sc-deploy-Proposer.k"],
   trusted = [
@@ -302,102 +336,119 @@ kprove(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-caller-none",
   srcs = ["proof-sign-caller-none.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-caller-not-user",
   srcs = ["proof-sign-caller-not-user.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-caller-proposer",
   srcs = ["proof-sign-caller-proposer.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-empty-action",
   srcs = ["proof-sign-empty-action.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-existing-signers-in-list",
   srcs = ["proof-sign-existing-signers-in-list.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-existing-signers-not-in-list",
   srcs = ["proof-sign-existing-signers-not-in-list.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-sign-no-signers",
   srcs = ["proof-sign-no-signers.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-no-action",
   srcs = ["proof-unsign-no-action.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-no-role",
   srcs = ["proof-unsign-no-role.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-no-signers",
   srcs = ["proof-unsign-no-signers.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-no-user",
   srcs = ["proof-unsign-no-user.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-not-signed",
   srcs = ["proof-unsign-not-signed.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-only-signer",
   srcs = ["proof-unsign-only-signer.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-other-signers-first",
   srcs = ["proof-unsign-other-signers-first.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-other-signers-not-first",
   srcs = ["proof-unsign-other-signers-not-first.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
-kprove(
+kprove_test(
   name = "proof-unsign-Proposer",
   srcs = ["proof-unsign-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
 ktrusted(

From 40e85802b89bf4558b1e86d25cf94a137397a85f Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 13 Apr 2021 22:04:31 +0300
Subject: [PATCH 25/37] Proofs for performActionFromId.

---
 multisig/kompile_tool/kmerge.sh               |   8 +-
 multisig/proof.bzl                            |   6 +
 .../proof/functions/BUILD                     | 352 ++++++++++++++++--
 .../proof-change-user-role-BoardMember.k      |  12 +-
 .../functions/proof-change-user-role-New.k    |  12 +-
 .../functions/proof-change-user-role-None.k   |  12 +-
 .../proof-change-user-role-Proposer.k         |  12 +-
 .../proof/functions/proof-count-can-sign.k    |   2 +-
 .../proof-discard-action-has-signers.k        |  12 +-
 .../functions/proof-discard-action-no-role.k  |  12 +-
 ...roof-discard-action-no-signers-no-action.k |  12 +-
 .../proof-discard-action-no-signers.k         |  12 +-
 .../functions/proof-discard-action-no-user.k  |  12 +-
 ...iscard-action-no-valid-signers-no-action.k |  12 +-
 .../proof-discard-action-no-valid-signers.k   |  12 +-
 ...form-action-add-board-member-BoardMember.k |   8 +-
 ...roof-perform-action-add-board-member-New.k |   8 +-
 ...oof-perform-action-add-board-member-None.k |   8 +-
 ...perform-action-add-board-member-Proposer.k |   8 +-
 ...ction-add-proposer-BoardMember-no-quorum.k |   8 +-
 ...-perform-action-add-proposer-BoardMember.k |   8 +-
 .../proof-perform-action-add-proposer-New.k   |   8 +-
 .../proof-perform-action-add-proposer-None.k  |   8 +-
 ...oof-perform-action-add-proposer-Proposer.k |   8 +-
 ...f-perform-action-change-quorum-no-quorum.k |   8 +-
 .../proof-perform-action-change-quorum.k      |   8 +-
 ...m-action-id-add-board-member-BoardMember.k |  96 +++++
 ...f-perform-action-id-add-board-member-New.k | 103 +++++
 ...-perform-action-id-add-board-member-None.k | 101 +++++
 ...form-action-id-add-board-member-Proposer.k |  99 +++++
 ...on-id-add-proposer-BoardMember-no-quorum.k |  98 +++++
 ...rform-action-id-add-proposer-BoardMember.k | 101 +++++
 ...proof-perform-action-id-add-proposer-New.k | 107 ++++++
 ...roof-perform-action-id-add-proposer-None.k | 102 +++++
 ...-perform-action-id-add-proposer-Proposer.k | 100 +++++
 ...erform-action-id-change-quorum-no-quorum.k |  93 +++++
 .../proof-perform-action-id-change-quorum.k   |  96 +++++
 ...ction-id-id-add-board-member-BoardMember.k |  95 +++++
 ...erform-action-id-id-add-board-member-New.k | 102 +++++
 ...rform-action-id-id-add-board-member-None.k |  97 +++++
 ...m-action-id-id-add-board-member-Proposer.k |  95 +++++
 ...id-id-add-proposer-BoardMember-no-quorum.k |  97 +++++
 ...rm-action-id-id-add-proposer-BoardMember.k |  97 +++++
 ...of-perform-action-id-id-add-proposer-New.k | 103 +++++
 ...f-perform-action-id-id-add-proposer-None.k |  98 +++++
 ...rform-action-id-id-add-proposer-Proposer.k |  96 +++++
 ...orm-action-id-id-change-quorum-no-quorum.k |  92 +++++
 ...proof-perform-action-id-id-change-quorum.k |  92 +++++
 .../proof-perform-action-id-id-nothing.k      |   1 +
 ...on-id-id-remove-user-BoardMember-too-few.k |   1 +
 ...orm-action-id-id-remove-user-BoardMember.k |   1 +
 ...oof-perform-action-id-id-remove-user-New.k |   1 +
 ...of-perform-action-id-id-remove-user-None.k |   1 +
 ...n-id-id-remove-user-Proposer-nobody-left.k |   1 +
 ...erform-action-id-id-remove-user-Proposer.k |   1 +
 .../proof-perform-action-id-id-sc-call.k      |   1 +
 .../proof-perform-action-id-id-sc-deploy.k    |   1 +
 .../proof-perform-action-id-id-send-egld.k    |   1 +
 .../proof-perform-action-id-nothing.k         |  91 +++++
 ...ction-id-remove-user-BoardMember-too-few.k | 101 +++++
 ...erform-action-id-remove-user-BoardMember.k | 102 +++++
 .../proof-perform-action-id-remove-user-New.k | 107 ++++++
 ...proof-perform-action-id-remove-user-None.k | 103 +++++
 ...tion-id-remove-user-Proposer-nobody-left.k |  99 +++++
 ...f-perform-action-id-remove-user-Proposer.k | 102 +++++
 .../proof-perform-action-id-sc-call.k         | 100 +++++
 .../proof-perform-action-id-sc-deploy.k       |  99 +++++
 .../proof-perform-action-id-send-egld.k       |  98 +++++
 .../functions/proof-perform-action-nothing.k  |  10 +-
 ...m-action-remove-user-BoardMember-too-few.k |   8 +-
 ...f-perform-action-remove-user-BoardMember.k |   8 +-
 .../proof-perform-action-remove-user-New.k    |   8 +-
 .../proof-perform-action-remove-user-None.k   |   8 +-
 ...-action-remove-user-Proposer-nobody-left.k |   8 +-
 ...roof-perform-action-remove-user-Proposer.k |  10 +-
 .../functions/proof-perform-action-sc-call.k  |   8 +-
 .../proof-perform-action-sc-deploy.k          |   8 +-
 .../proof-perform-action-send-egld.k          |   8 +-
 .../proof-propose-action-BoardMember.k        |  12 +-
 .../functions/proof-propose-action-Proposer.k |  12 +-
 .../proof-propose-action-error-no-role.k      |  12 +-
 .../proof-propose-action-error-no-user.k      |  12 +-
 .../proof-propose-sc-deploy-BoardMember.k     |  12 +-
 .../proof-propose-sc-deploy-Proposer.k        |  12 +-
 .../proof-propose-sc-deploy-error-no-role.k   |  12 +-
 .../proof-propose-sc-deploy-error-no-user.k   |  12 +-
 .../proof-propose-sc-deploy-fragment.k        |  12 +-
 .../proof/functions/proof-sign-caller-none.k  |  12 +-
 .../functions/proof-sign-caller-not-user.k    |  12 +-
 .../functions/proof-sign-caller-proposer.k    |  12 +-
 .../proof/functions/proof-sign-empty-action.k |  12 +-
 .../proof-sign-existing-signers-in-list.k     |  12 +-
 .../proof-sign-existing-signers-not-in-list.k |  12 +-
 .../proof/functions/proof-sign-no-signers.k   |  12 +-
 .../proof/functions/proof-unsign-Proposer.k   |  12 +-
 .../proof/functions/proof-unsign-no-action.k  |  12 +-
 .../proof/functions/proof-unsign-no-role.k    |  12 +-
 .../proof/functions/proof-unsign-no-signers.k |  12 +-
 .../proof/functions/proof-unsign-no-user.k    |  12 +-
 .../proof/functions/proof-unsign-not-signed.k |  12 +-
 .../functions/proof-unsign-only-signer.k      |  12 +-
 .../proof-unsign-other-signers-first.k        |  12 +-
 .../proof-unsign-other-signers-not-first.k    |  12 +-
 .../protocol-correctness/proof/invariant.k    |  10 +-
 .../proof/invariant/count-can-sign-parts.k    |  18 +-
 .../proof/invariant/init-loop-parts.k         |   8 +-
 .../proof/invariant/perform-parts.k           |   8 +-
 .../proof/invariant/proof-count-can-sign.k    |   4 +-
 .../proof/invariant/proof-init-loop.k         |   8 +-
 .../proof-perform-add-board-member.k          |   8 +-
 .../invariant/proof-perform-add-proposer-1.k  |   6 +-
 .../invariant/proof-perform-add-proposer-3.k  |   8 +-
 .../invariant/proof-perform-add-proposer-5.k  |   8 +-
 .../invariant/proof-perform-add-proposer-7.k  |   8 +-
 .../invariant/proof-perform-add-proposer-8.k  |   8 +-
 .../invariant/proof-perform-add-proposer-9.k  |   8 +-
 .../invariant/proof-perform-change-quorum.k   |  16 +-
 .../proof/invariant/proof-perform-nothing.k   |   4 +-
 .../invariant/proof-perform-remove-user-1.k   |   8 +-
 .../invariant/proof-perform-remove-user-10.k  |   8 +-
 .../invariant/proof-perform-remove-user-3.k   |   8 +-
 .../invariant/proof-perform-remove-user-5.k   |   8 +-
 .../invariant/proof-perform-remove-user-7.k   |   8 +-
 .../invariant/proof-perform-remove-user-9.k   |   8 +-
 .../proof/invariant/proof-perform-s-c-call.k  |   8 +-
 .../invariant/proof-perform-s-c-deploy.k      |   8 +-
 .../proof/invariant/proof-perform-send-egld.k |   8 +-
 multisig/protocol-correctness/pseudocode.k    |  23 +-
 128 files changed, 3831 insertions(+), 538 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k

diff --git a/multisig/kompile_tool/kmerge.sh b/multisig/kompile_tool/kmerge.sh
index 056366dae..2251ded2d 100755
--- a/multisig/kompile_tool/kmerge.sh
+++ b/multisig/kompile_tool/kmerge.sh
@@ -5,4 +5,10 @@ set -e
 OUTPUT=$1
 shift
 
-cat "$@" | sed 's/^.*\/\/@ Bazel remove\s*$/\/\/ Removed by Bazel + kmerge./' > $OUTPUT
+echo > $OUTPUT
+
+for f in "$@"
+do
+  cat "$f" | sed 's/^.*\/\/@ Bazel remove\s*$/\/\/ Removed by Bazel + kmerge./' >> $OUTPUT
+  echo >> $OUTPUT
+done
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index e5d7d5b65..ff4d9d727 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -152,6 +152,12 @@ def _kprove_test_impl(ctx):
   script_lines = [
       "#!/usr/bin/env bash",
       "",
+      # "read line",
+      # 'echo "aaa: $line"',
+      # "",
+      "echo 'To debug:'",
+      'echo "cd $(pwd)"',
+      "echo kompile_tool/kprove_tool %s %s %s --debug" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path),
       "kompile_tool/kprove_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
   ]
   ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index ae572bbdc..d2d5a7acb 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -9,12 +9,178 @@ kompile(
   ],
 )
 
+kprove_test(
+  name = "proof-perform-action-id-remove-user-BoardMember",
+  srcs = ["proof-perform-action-id-remove-user-BoardMember.k"],
+  trusted = [":trusted-perform-action-remove-user-BoardMember"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-id-remove-user-BoardMember-too-few.k"],
+  trusted = [":trusted-perform-action-remove-user-BoardMember-too-few"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-id-remove-user-Proposer-nobody-left.k"],
+  trusted = [":trusted-perform-action-remove-user-Proposer-nobody-left"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-remove-user-Proposer",
+  srcs = ["proof-perform-action-id-remove-user-Proposer.k"],
+  trusted = [":trusted-perform-action-remove-user-Proposer"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-remove-user-None",
+  srcs = ["proof-perform-action-id-remove-user-None.k"],
+  trusted = [":trusted-perform-action-remove-user-None"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-remove-user-New",
+  srcs = ["proof-perform-action-id-remove-user-New.k"],
+  trusted = [":trusted-perform-action-remove-user-New"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-change-quorum",
+  srcs = ["proof-perform-action-id-change-quorum.k"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-id-change-quorum-no-quorum.k"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-id-add-proposer-BoardMember-no-quorum.k"],
+  trusted = [":trusted-perform-action-add-proposer-BoardMember-no-quorum"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-id-add-proposer-BoardMember.k"],
+  trusted = [":trusted-perform-action-add-proposer-BoardMember"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-proposer-Proposer",
+  srcs = ["proof-perform-action-id-add-proposer-Proposer.k"],
+  trusted = [":trusted-perform-action-add-proposer-Proposer"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-proposer-New",
+  srcs = ["proof-perform-action-id-add-proposer-New.k"],
+  trusted = [":trusted-perform-action-add-proposer-New"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-proposer-None",
+  srcs = ["proof-perform-action-id-add-proposer-None.k"],
+  trusted = [":trusted-perform-action-add-proposer-None"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-board-member-New",
+  srcs = ["proof-perform-action-id-add-board-member-New.k"],
+  trusted = [":trusted-perform-action-add-board-member-New"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-id-add-board-member-BoardMember.k"],
+  trusted = [":trusted-perform-action-add-board-member-BoardMember"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-board-member-Proposer",
+  srcs = ["proof-perform-action-id-add-board-member-Proposer.k"],
+  trusted = [":trusted-perform-action-add-board-member-Proposer"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-add-board-member-None",
+  srcs = ["proof-perform-action-id-add-board-member-None.k"],
+  trusted = [":trusted-perform-action-add-board-member-None"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-send-egld",
+  srcs = ["proof-perform-action-id-send-egld.k"],
+  trusted = [":trusted-perform-action-send-egld"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-sc-call",
+  srcs = ["proof-perform-action-id-sc-call.k"],
+  trusted = [":trusted-perform-action-sc-call"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-sc-deploy",
+  srcs = ["proof-perform-action-id-sc-deploy.k"],
+  trusted = [":trusted-perform-action-sc-deploy"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-nothing",
+  srcs = ["proof-perform-action-id-nothing.k"],
+  trusted = [":trusted-perform-action-nothing"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
 kprove_test(
   name = "proof-perform-action-remove-user-BoardMember",
   srcs = ["proof-perform-action-remove-user-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -22,7 +188,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -30,7 +196,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-Proposer-nobody-left.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -38,7 +204,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -54,21 +220,21 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-perform-action-change-quorum",
   srcs = ["proof-perform-action-change-quorum.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-change-quorum-no-quorum",
   srcs = ["proof-perform-action-change-quorum-no-quorum.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -76,7 +242,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-BoardMember-no-quorum.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -84,7 +250,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -92,7 +258,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -100,7 +266,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -108,7 +274,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -116,7 +282,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -124,7 +290,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -132,7 +298,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -140,35 +306,35 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-send-egld",
   srcs = ["proof-perform-action-send-egld.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-sc-call",
   srcs = ["proof-perform-action-sc-call.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-sc-deploy",
   srcs = ["proof-perform-action-sc-deploy.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-nothing",
   srcs = ["proof-perform-action-nothing.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -203,7 +369,7 @@ kprove_test(
   name = "proof-count-can-sign",
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -211,14 +377,14 @@ kprove_test(
   srcs = ["proof-discard-action-has-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-discard-action-no-role",
   srcs = ["proof-discard-action-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -226,7 +392,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -241,7 +407,7 @@ kprove_test(
   name = "proof-discard-action-no-user",
   srcs = ["proof-discard-action-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -249,7 +415,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
@@ -271,14 +437,14 @@ kprove_test(
   name = "proof-propose-action-error-no-role",
   srcs = ["proof-propose-action-error-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-action-error-no-user",
   srcs = ["proof-propose-action-error-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -296,7 +462,7 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -307,7 +473,7 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -318,14 +484,14 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-sc-deploy-fragment",
   srcs = ["proof-propose-sc-deploy-fragment.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -336,21 +502,21 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-caller-none",
   srcs = ["proof-sign-caller-none.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-caller-not-user",
   srcs = ["proof-sign-caller-not-user.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -364,7 +530,7 @@ kprove_test(
   name = "proof-sign-empty-action",
   srcs = ["proof-sign-empty-action.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -392,28 +558,28 @@ kprove_test(
   name = "proof-unsign-no-action",
   srcs = ["proof-unsign-no-action.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-role",
   srcs = ["proof-unsign-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-signers",
   srcs = ["proof-unsign-no-signers.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-user",
   srcs = ["proof-unsign-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -441,7 +607,7 @@ kprove_test(
   name = "proof-unsign-other-signers-not-first",
   srcs = ["proof-unsign-other-signers-not-first.k"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
@@ -501,3 +667,107 @@ ktrusted(
   srcs = ["proof-change-user-role-Proposer.k"],
 )
 
+ktrusted(
+  name = "trusted-perform-action-remove-user-BoardMember",
+  srcs = ["proof-perform-action-remove-user-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-remove-user-Proposer-nobody-left.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-remove-user-Proposer",
+  srcs = ["proof-perform-action-remove-user-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-remove-user-None",
+  srcs = ["proof-perform-action-remove-user-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-remove-user-New",
+  srcs = ["proof-perform-action-remove-user-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-change-quorum",
+  srcs = ["proof-perform-action-change-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-change-quorum-no-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-add-proposer-BoardMember-no-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-add-proposer-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-proposer-Proposer",
+  srcs = ["proof-perform-action-add-proposer-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-proposer-New",
+  srcs = ["proof-perform-action-add-proposer-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-proposer-None",
+  srcs = ["proof-perform-action-add-proposer-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-board-member-New",
+  srcs = ["proof-perform-action-add-board-member-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-add-board-member-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-board-member-Proposer",
+  srcs = ["proof-perform-action-add-board-member-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-add-board-member-None",
+  srcs = ["proof-perform-action-add-board-member-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-send-egld",
+  srcs = ["proof-perform-action-send-egld.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-sc-call",
+  srcs = ["proof-perform-action-sc-call.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-sc-deploy",
+  srcs = ["proof-perform-action-sc-deploy.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-nothing",
+  srcs = ["proof-perform-action-nothing.k"],
+)
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
index c1a7156fb..ebd7bb842 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-BoardMember.k
@@ -20,11 +20,7 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-CHANGE-USER-ROLE-BOARDMEMBER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
index ad53de6cc..dd581d0cb 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-New.k
@@ -20,11 +20,7 @@ module PROOF-CHANGE-USER-ROLE-NEW
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-CHANGE-USER-ROLE-NEW
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
index 64bed582f..6ab62ab09 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-None.k
@@ -20,11 +20,7 @@ module PROOF-CHANGE-USER-ROLE-NONE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-CHANGE-USER-ROLE-NONE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
index c8875fc84..42f8febd6 100644
--- a/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-change-user-role-Proposer.k
@@ -20,11 +20,7 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-CHANGE-USER-ROLE-PROPOSER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
index 3a06ac732..69f750a35 100644
--- a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
@@ -22,7 +22,7 @@ module PROOF-COUNT-CAN-SIGN
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              Stack:List,
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
index d6ed3918c..742a4af01 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
@@ -27,11 +27,7 @@ module PROOF-DISCARD-ACTION-HAS-SIGNERS
               ActionData:Map,
               (ActionId |-> SignerIds _ActionSigners:Map) #as ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -51,11 +47,7 @@ module PROOF-DISCARD-ACTION-HAS-SIGNERS
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
index bb487fde4..f19cdeee8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-role.k
@@ -20,11 +20,7 @@ module PROOF-DISCARD-ACTION-NO-ROLE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-DISCARD-ACTION-NO-ROLE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
index 4332ad9c0..5ecac37ee 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers-no-action.k
@@ -27,11 +27,7 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -51,11 +47,7 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS-NO-ACTION
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
index 3a12a11de..f5fb2147d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-signers.k
@@ -27,11 +27,7 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS
               ActionId |-> _:Action ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -51,11 +47,7 @@ module PROOF-DISCARD-ACTION-NO-SIGNERS
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
index b2c156929..6261376ab 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-user.k
@@ -20,11 +20,7 @@ module PROOF-DISCARD-ACTION-NO-USER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-DISCARD-ACTION-NO-USER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
index aec1251c2..c31444f16 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
@@ -29,11 +29,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
               ActionData:Map,
               ActionId |-> SignerIds ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -53,11 +49,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
index 180cf9406..ca28304da 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
@@ -27,11 +27,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
               ActionId |-> _:Action ActionData:Map,
               ActionId |-> SignerIds ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -51,11 +47,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
index 9e1365cc0..0a88da1e7 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
index df32b4a54..4e7d81ff6 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
index 5dbfe9b57..5c2294f91 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
index 751b326be..8f67df186 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
index 0c28be09a..0151cb8a8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
index 891b57e9d..51dfd972c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
index e30b08f1e..8875c26ca 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NEW
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NEW
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
index 51c827238..06b77406f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NONE
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NONE
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
index f723a06cd..565f34f93 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
index 5d83be627..f8de0b559 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum-no-quorum.k
@@ -29,11 +29,14 @@ module PROOF-PERFORM-ACTION-CHANGE-QUORUM-NO-QUORUM
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -61,6 +64,9 @@ module PROOF-PERFORM-ACTION-CHANGE-QUORUM-NO-QUORUM
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
index c69da7b2c..f8bc3be33 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-change-quorum.k
@@ -29,11 +29,14 @@ module PROOF-PERFORM-ACTION-CHANGE-QUORUM
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -61,6 +64,9 @@ module PROOF-PERFORM-ACTION-CHANGE-QUORUM
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
new file mode 100644
index 000000000..cff5fda1f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
@@ -0,0 +1,96 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
new file mode 100644
index 000000000..b7af72d9e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
@@ -0,0 +1,103 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
new file mode 100644
index 000000000..1c4e10cef
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
@@ -0,0 +1,101 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
new file mode 100644
index 000000000..da5a79086
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
@@ -0,0 +1,99 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
new file mode 100644
index 000000000..4a8767e1c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
@@ -0,0 +1,98 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum ==Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
new file mode 100644
index 000000000..3b39ca513
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
@@ -0,0 +1,101 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum <=Int NumBoardMembers -Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
new file mode 100644
index 000000000..fb1c50f39
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
@@ -0,0 +1,107 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
new file mode 100644
index 000000000..d9cde7d52
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
new file mode 100644
index 000000000..8f3160587
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
@@ -0,0 +1,100 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
new file mode 100644
index 000000000..368b95241
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
@@ -0,0 +1,93 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>OldQuorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>OldQuorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum >Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
new file mode 100644
index 000000000..c3d45a19c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
@@ -0,0 +1,96 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>_OldQuorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(NewQuorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
new file mode 100644
index 000000000..fbd1e63d1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
@@ -0,0 +1,95 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
new file mode 100644
index 000000000..1525fefde
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
new file mode 100644
index 000000000..3284d347a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
@@ -0,0 +1,97 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
new file mode 100644
index 000000000..8a92f0f4d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
@@ -0,0 +1,95 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddBoardMember(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
new file mode 100644
index 000000000..ccd596a8b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
@@ -0,0 +1,97 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum ==Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
new file mode 100644
index 000000000..7214ce4dd
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
@@ -0,0 +1,97 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool Quorum <=Int NumBoardMembers -Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
new file mode 100644
index 000000000..9788385b0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
@@ -0,0 +1,103 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>u(NumUsers +Int 1) |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // someting to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserAddress in_keys(AddressToUserId)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
new file mode 100644
index 000000000..c928962a2
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
@@ -0,0 +1,98 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers +Int 1)</num-proposers>
+                <user-roles>UserId |-> Proposer UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
new file mode 100644
index 000000000..6e49f5fc7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
@@ -0,0 +1,96 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  AddProposer(UserAddress:Address) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>(UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
new file mode 100644
index 000000000..aa72dc27a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
@@ -0,0 +1,92 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-ID-CHANGE-QUORUM-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-CHANGE-QUORUM-NO-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>OldQuorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>OldQuorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum >Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
new file mode 100644
index 000000000..4de4905ac
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
@@ -0,0 +1,92 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-ID-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-ID-CHANGE-QUORUM
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(
+                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+              )) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>_OldQuorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionId |-> 
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(NewQuorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NewQuorum <=Int NumBoardMembers
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
new file mode 100644
index 000000000..519c04227
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
@@ -0,0 +1 @@
+proof-perform-action-nothing.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
new file mode 100644
index 000000000..c5cc5bd21
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-BoardMember-too-few.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
new file mode 100644
index 000000000..c6345d8ed
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-BoardMember.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
new file mode 100644
index 000000000..860083509
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-New.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
new file mode 100644
index 000000000..71ca326b1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-None.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
new file mode 100644
index 000000000..f1bf464db
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-Proposer-nobody-left.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
new file mode 100644
index 000000000..63c357c19
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
@@ -0,0 +1 @@
+proof-perform-action-remove-user-Proposer.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
new file mode 100644
index 000000000..c23e798c4
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
@@ -0,0 +1 @@
+proof-perform-action-sc-call.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
new file mode 100644
index 000000000..a49c57e29
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
@@ -0,0 +1 @@
+proof-perform-action-sc-deploy.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k
new file mode 100644
index 000000000..ad8307fa0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k
@@ -0,0 +1 @@
+proof-perform-action-send-egld.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
new file mode 100644
index 000000000..3782cc067
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
@@ -0,0 +1,91 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-NOTHING
+//@ trusted
+// module TRUSTED-PERFORM-NOTHING
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performAction(Nothing:Action)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionData:Map</action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+    ensures true
+  //@ proof
+  //@ trusted
+  // [trusted]
+  //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
new file mode 100644
index 000000000..93522f3ac
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
@@ -0,0 +1,101 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool (false
+          orBool NumBoardMembers +Int NumProposers ==Int 1
+          orBool Quorum ==Int NumBoardMembers
+      )
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
new file mode 100644
index 000000000..44dd90509
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
+  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> BoardMember UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+
+      andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+      andBool Quorum <=Int NumBoardMembers -Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
new file mode 100644
index 000000000..cd78f0a67
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
@@ -0,0 +1,107 @@
+//@ proof
+require "trusted-change-user-role-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NEW
+  imports TRUSTED-CHANGE-USER-ROLE-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NEW
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers +Int 1)</num-users>
+                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
+                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool NumUsers >=Int 0
+      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+      // something to map values to keys.
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+      andBool NumBoardMembers +Int NumProposers >Int 0
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool (UserAddress in_keys(AddressToUserId))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
new file mode 100644
index 000000000..bd2ad7add
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
@@ -0,0 +1,103 @@
+//@ proof
+require "trusted-change-user-role-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NONE
+  imports TRUSTED-CHANGE-USER-ROLE-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NONE
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool NumBoardMembers +Int NumProposers >Int 0
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool notBool (u(UserId) in_keys(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
new file mode 100644
index 000000000..be5d0e826
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
@@ -0,0 +1,99 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> error ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool NumBoardMembers +Int NumProposers ==Int 1
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
new file mode 100644
index 000000000..7b567d622
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
+  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers:Int)</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>(UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+                <num-proposers>u(NumProposers:Int)</num-proposers>
+                <user-roles>u(UserId:Int) |-> Proposer UserIdToRole:Map</user-roles>
+                <quorum>u(Quorum:Int)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>u(NumUsers)</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>u(Quorum)</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+      andBool addressToUserIdInvariant(AddressToUserId)
+      andBool Quorum <=Int NumBoardMembers
+
+      andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-call.k
new file mode 100644
index 000000000..9d3a51e6f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-call.k
@@ -0,0 +1,100 @@
+//@ proof
+require "trusted-perform-action-sc-call.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-SC-CALL
+  imports TRUSTED-PERFORM-ACTION-SC-CALL
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-SC-CALL
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> SCCall(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Function:BoxedBytes,
+                          _Arguments:ExpressionList) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
new file mode 100644
index 000000000..988e0b3ea
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
@@ -0,0 +1,99 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-SC-DEPLOY
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-SC-DEPLOY
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> SCDeploy(
+                          _Amount:BigUint,
+                          _Code:BoxedBytes,
+                          _CodeMetadata:CodeMetadata,
+                          _Arguments:ExpressionList) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k
new file mode 100644
index 000000000..16508fc55
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k
@@ -0,0 +1,98 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ID-SEND-EGLD
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-SEND-EGLD
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>
+                      ActionId |-> SendEgld(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Data:BoxedBytes) #as Action:Action
+                      ActionData:Map
+                  </action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables:Map</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool isKResult(Action)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
index 4520ce641..0016913bf 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
@@ -8,7 +8,7 @@ module PROOF-PERFORM-ACTION-NOTHING
 
   claim
       <T> <TT>
-          <k> call(performAction(Nothing:Action)) ~> K:K </k>
+          <k> call(performAction(Nothing #as Action:Action)) ~> K:K </k>
           <state>
             <multisig-state>
               <users>
@@ -26,11 +26,14 @@ module PROOF-PERFORM-ACTION-NOTHING
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -58,6 +61,9 @@ module PROOF-PERFORM-ACTION-NOTHING
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
index 512e29b8b..764488d7f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
index 99601846e..5c5b0ef99 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
index 6b39f92ca..6ef728d3b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NEW
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NEW
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
index 6eec392d9..1db688d90 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NONE
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NONE
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
index b3a335880..b5fc5c948 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
index 899d8c884..b27c78a4c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
@@ -32,16 +32,19 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
       <T> <TT>
-          <k> evaluate(void) ~> K </k>
+          <k>evaluate(void) ~> K</k>
           <state>
             <multisig-state>
               <users>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
index 3493e51e1..1e8d2d025 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-call.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-SC-CALL
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-SC-CALL
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
index 2dfdbc695..7d83935e6 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-sc-deploy.k
@@ -32,11 +32,14 @@ module PROOF-PERFORM-ACTION-SC-DEPLOY
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -64,6 +67,9 @@ module PROOF-PERFORM-ACTION-SC-DEPLOY
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k
index 0825fa94c..aaa815d38 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-send-egld.k
@@ -31,11 +31,14 @@ module PROOF-PERFORM-ACTION-SEND-EGLD
             </multisig-state>
             <pseudocode-state>
               <variables>.Map</variables>
-              <stack>Stack:List</stack>
+              <stack>Stack:Stack</stack>
             </pseudocode-state>
             <external-call-env>
               <caller-address>CallerAddress:Address</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
           </state>
       </TT> </T>
       =>
@@ -63,6 +66,9 @@ module PROOF-PERFORM-ACTION-SEND-EGLD
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
index 9268998d9..4c4f9d81d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
@@ -20,11 +20,7 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
               u(ActionLastIndex +Int 1) |-> Action ActionData,
               (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
index 60e02ca45..8535bf8f3 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
@@ -20,11 +20,7 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-PROPOSE-ACTION-PROPOSER
               u(ActionLastIndex +Int 1) |-> Action ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
index fb0aba01f..a2f27d56b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-role.k
@@ -20,11 +20,7 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-ROLE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-ROLE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables:Map,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
index 4cc44d411..5b03fd0dc 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-error-no-user.k
@@ -20,11 +20,7 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-USER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-PROPOSE-ACTION-ERROR-NO-USER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables:Map,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
index b1ea61449..d854d9946 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-BoardMember.k
@@ -39,11 +39,7 @@ module PROOF-PROPOSE-SC-DEPLOY-BOARDMEMBER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -69,11 +65,7 @@ module PROOF-PROPOSE-SC-DEPLOY-BOARDMEMBER
                   ActionData,
               (u(ActionLastIndex +Int 1) |-> [{AddressToUserId[CallerAddress]}:>Usize, .]) ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
index d867d6fd8..dfb91fa31 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-Proposer.k
@@ -39,11 +39,7 @@ module PROOF-PROPOSE-SC-DEPLOY-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -69,11 +65,7 @@ module PROOF-PROPOSE-SC-DEPLOY-PROPOSER
                   ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
index 28db4ddfe..5af1d3745 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-role.k
@@ -39,11 +39,7 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -63,11 +59,7 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-ROLE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables:Map,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
index a36af36cf..b1ac48787 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-error-no-user.k
@@ -39,11 +39,7 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-USER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -63,11 +59,7 @@ module PROOF-PROPOSE-SC-DEPLOY-ERROR-NO-USER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables:Map,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
index 0224bbcbb..0505c01c4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-sc-deploy-fragment.k
@@ -33,11 +33,7 @@ module PROOF-PROPOSE-SC-DEPLOY-FRAGMENT
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -61,11 +57,7 @@ module PROOF-PROPOSE-SC-DEPLOY-FRAGMENT
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               code_metadata |-> codeMetadataFunction(Upgradeable, Payable, Readable),
               PerformedActions:List
               )
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
index 373ead98e..e66477951 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-none.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-CALLER-NONE
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-CALLER-NONE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
index 13b3c0e78..a560812cd 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-not-user.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-CALLER-NOT-USER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-CALLER-NOT-USER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
index 4fe1ef53c..381966298 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-caller-proposer.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-CALLER-PROPOSER
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-CALLER-PROPOSER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
index 436929cad..a5e662a23 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-empty-action.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-EMPTY-ACTION
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-EMPTY-ACTION
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
index e333b906d..19fd16098 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-in-list.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               ActionData:Map,
               ((ActionId |-> Signers:ExpressionList) _ActionSigners:Map) #as ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-EXISTING-SIGNERS-IN-LIST
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
index 23518bdd4..eb51451df 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-existing-signers-not-in-list.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               ActionData:Map,
               (ActionId |-> [Signers:ExpressionCSV]) ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-EXISTING-SIGNERS-NOT-IN-LIST
               ActionData,
               (ActionId |-> [#pushList(Signers, UserId)]) ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
index 3540cf3f6..e02229da4 100644
--- a/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-sign-no-signers.k
@@ -20,11 +20,7 @@ module PROOF-SIGN-NO-SIGNERS
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -44,11 +40,7 @@ module PROOF-SIGN-NO-SIGNERS
               ActionData,
               ActionId |-> [UserId, .] ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
index b88c509b8..b5b8fb5af 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-Proposer.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-PROPOSER
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-PROPOSER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
index 90c3df041..ff192cc8b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-action.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-NO-ACTION
               ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-NO-ACTION
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
index 02e3177f0..5f8a86d5d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-role.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-NO-ROLE
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-NO-ROLE
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
index 44f4b30dd..9bf605b96 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-signers.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-NO-SIGNERS
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-NO-SIGNERS
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
index 62dd01923..dbf246381 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-no-user.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-NO-USER
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-NO-USER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
index f016b9ee2..fe0601cb0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-not-signed.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-NOT-SIGNED
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               (ActionId |-> Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-NOT-SIGNED
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
index 4c055a50d..2e790ca5d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-only-signer.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-ONLY-SIGNER
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionId |-> [UserId, .] ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-ONLY-SIGNER
               ActionData,
               ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
index d023acd89..0385e338c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-first.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-OTHER-SIGNERS-FIRST
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionId |-> [(UserId, _:Usize, _Signers:ExpressionCSV) #as Signers:ExpressionCSV] ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-OTHER-SIGNERS-FIRST
               ActionData,
               ActionId |-> [#listSwapRemove(Signers, #listFind([Signers], UserId))] ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
index 478dfe9cd..adba9d5ce 100644
--- a/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
+++ b/multisig/protocol-correctness/proof/functions/proof-unsign-other-signers-not-first.k
@@ -21,11 +21,7 @@ module PROOF-UNSIGN-OTHER-SIGNERS-NOT-FIRST
               (ActionId |-> Action:Action _ActionData:Map) #as ActionData:Map,
               ActionId |-> [(First:Usize, _Signers:ExpressionCSV) #as Signers:ExpressionCSV] ActionSigners:Map,
               CallerAddress:Address,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               .Map,
               PerformedActions:List
               )
@@ -45,11 +41,7 @@ module PROOF-UNSIGN-OTHER-SIGNERS-NOT-FIRST
               ActionData,
               ActionId |-> [#listSwapRemove(Signers, #listFind([Signers], UserId))] ActionSigners,
               CallerAddress,
-              //@ proof
-              .List,  // TODO: Stack:List,
-              //@ trusted
-              // Stack:List,
-              //@ end
+              Stack:Stack,
               ?_Variables,
               PerformedActions:List
               ):StateCell
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 87bff3332..169339ae6 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -102,7 +102,7 @@ module INVARIANT
       actionData:Map,
       actionSigners:Map,
       callerAddress:KItem,
-      stack:List,
+      stack:Stack,
       performedActions:List)  [function, functional]
 
   syntax StateCell ::= invariantStateFull(
@@ -117,7 +117,7 @@ module INVARIANT
       actionData:Map,
       actionSigners:Map,
       callerAddress:KItem,
-      stack:List,
+      stack:Stack,
       variables:Map,
       performedActions:List)  [function, functional]
 
@@ -146,7 +146,7 @@ module INVARIANT
           ActionData,
           ActionSigners,
           uninitialized,
-          .List,
+          .stack,
           PerformedActions)
 
   rule invariantStateStack(
@@ -161,7 +161,7 @@ module INVARIANT
       ActionData:Map,
       ActionSigners:Map,
       CallerAddress:KItem,
-      Stack:List,
+      Stack:Stack,
       PerformedActions:List)
     => invariantStateFull(
           NumUsers,
@@ -191,7 +191,7 @@ module INVARIANT
       ActionData:Map,
       ActionSigners:Map,
       CallerAddress:KItem,
-      Stack:List,
+      Stack:Stack,
       Variables:Map,
       PerformedActions:List)
     =>
diff --git a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
index 1e817edad..83f9da248 100644
--- a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
@@ -13,12 +13,12 @@ module COUNT-CAN-SIGN-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            stack:Stack,
             ExternalCallEnvCell,
             performedActions:List)
       [function, functional]
 
-  rule countCanSignLhs(
+  rule Stack(
             SignerIds:ExpressionList,
             K:K,
             Users:UsersCell,
@@ -28,7 +28,7 @@ module COUNT-CAN-SIGN-PARTS
             Quorum:Usize,
             ActionState:ActionStateCell,
             Variables:Map,
-            Stack:List,
+            Stack:Stack,
             ExternalCallEnv:ExternalCallEnvCell,
             PerformedActions:List)
       => <TT>
@@ -68,7 +68,7 @@ module COUNT-CAN-SIGN-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            stack:Stack,
             ExternalCallEnvCell,
             performedActions:List)
       [function, functional]
@@ -83,7 +83,7 @@ module COUNT-CAN-SIGN-PARTS
             Quorum:Usize,
             ActionState:ActionStateCell,
             Variables:Map,
-            Stack:List,
+            Stack:Stack,
             ExternalCallEnv:ExternalCallEnvCell,
             PerformedActions:List)
       => <TT>
@@ -121,7 +121,7 @@ module COUNT-CAN-SIGN-PARTS
             quorum:KItem,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            stack:Stack,
             ExternalCallEnvCell)
       [function, functional]
 
@@ -134,7 +134,7 @@ module COUNT-CAN-SIGN-PARTS
             _Quorum:KItem,
             _ActionState:ActionStateCell,
             Variables:Map,
-            _Stack:List,
+            _Stack:Stack,
             _ExternalCallEnv:ExternalCallEnvCell)
       =>
         isKResult(SignerIds)
@@ -152,7 +152,7 @@ module COUNT-CAN-SIGN-PARTS
             quorum:KItem,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            Stack:Stack,
             ExternalCallEnvCell)
       [function, functional]
 
@@ -165,7 +165,7 @@ module COUNT-CAN-SIGN-PARTS
             _Quorum:KItem,
             _ActionState:ActionStateCell,
             _Variables:Map,
-            _Stack:List,
+            _Stack:Stack,
             _ExternalCallEnv:ExternalCallEnvCell)
       => true
 
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index cf6aea60c..1a0d71e3d 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -13,7 +13,7 @@ module INIT-LOOP-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            Stack:Stack,
             ExternalCallEnvCell,
             address:Expression,
             userId:Usize)
@@ -28,7 +28,7 @@ module INIT-LOOP-PARTS
             Quorum:Usize,
             ActionState:ActionStateCell,
             Variables:Map,
-            Stack:List,
+            Stack:Stack,
             ExternalCallEnv:ExternalCallEnvCell,
             Address:Expression,
             UserId:Usize)
@@ -85,7 +85,7 @@ module INIT-LOOP-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            stack:List,
+            Stack:Stack,
             ExternalCallEnvCell,
             index:Usize,
             address:Expression,
@@ -100,7 +100,7 @@ module INIT-LOOP-PARTS
             Quorum:Usize,
             ActionState:ActionStateCell,
             Variables:Map,
-            Stack:List,
+            Stack:Stack,
             ExternalCallEnv:ExternalCallEnvCell,
             Index:Usize,
             Address:Expression,
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index c84736c4b..278c46bbb 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -65,7 +65,7 @@ module PERFORM-PARTS
       userIdToRole:Map,
       quorum:Usize,
       ActionStateCell,
-      stack:List,
+      Stack:Stack,
       callerAddress:Address,
       performedActions:List)
     [function, functional]
@@ -81,7 +81,7 @@ module PERFORM-PARTS
           quorum:Usize,
           ActionStateCell,
           variables:Map,
-          stack:List,
+          Stack:Stack,
           callerAddress:Address,
           performedActions:List)
       [function, functional]
@@ -219,7 +219,7 @@ module PERFORM-PARTS
           UserIdToRole:Map,
           Quorum:Usize,
           ActionState:ActionStateCell,
-          Stack:List,
+          Stack:Stack,
           CallerAddress:Address,
           PerformedActions:List)
         =>
@@ -267,7 +267,7 @@ module PERFORM-PARTS
           Quorum:Usize,
           ActionState:ActionStateCell,
           Variables:Map,
-          Stack:List,
+          Stack:Stack,
           CallerAddress:Address,
           PerformedActions:List)
         =>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
index 162f95c71..1a7fe67be 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
@@ -11,7 +11,7 @@ module TRUSTED-COUNT-CAN-SIGN
                 Quorum:Usize,
                 ActionState:ActionStateCell,
                 Variables:Map,
-                Stack:List,
+                Stack:Stack,
                 ExternalCallEnv:ExternalCallEnvCell,
                 PerformedActions:List)
         </T>
@@ -70,7 +70,7 @@ module PROOF-COUNT-CAN-SIGN
                 Quorum:Usize,
                 ActionState:ActionStateCell,
                 Variables:Map,
-                Stack:List,
+                Stack:Stack,
                 ExternalCallEnv:ExternalCallEnvCell)
         </T>
       => <T> countCanSignRhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-init-loop.k b/multisig/protocol-correctness/proof/invariant/proof-init-loop.k
index bca6f8bc7..3fb85dc17 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-init-loop.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-init-loop.k
@@ -13,7 +13,7 @@ module TRUSTED-INIT-LOOP
               Quorum:Usize,
               ActionState:ActionStateCell,
               .Map,  // TODO: Variables:Map,
-              Stack:List,
+              Stack:Stack,
               ExternalCallEnv:ExternalCallEnvCell,
               _Address0:Expression,
               _UserId0:Usize)
@@ -62,7 +62,7 @@ module TRUSTED-INIT-LOOP
               Quorum:Usize,
               ActionState:ActionStateCell,
               .Map,  // TODO: Variables:Map,
-              Stack:List,
+              Stack:Stack,
               ExternalCallEnv:ExternalCallEnvCell,
               _Address0:Expression,
               _UserId0:Usize)
@@ -107,7 +107,7 @@ module PROOF-INIT-LOOP
               Quorum:Usize,
               ActionState:ActionStateCell,
               .Map,  // TODO: Variables:Map,
-              Stack:List,
+              Stack:Stack,
               ExternalCallEnv:ExternalCallEnvCell,
               _Address0:Expression,
               _UserId0:Usize)
@@ -155,7 +155,7 @@ module PROOF-INIT-LOOP
               Quorum:Usize,
               ActionState:ActionStateCell,
               .Map,  // TODO: Variables:Map,
-              Stack:List,
+              Stack:Stack,
               ExternalCallEnv:ExternalCallEnvCell,
               _Address0:Expression,
               _UserId0:Usize)
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
index bf3beb4aa..93f994d20 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
@@ -21,7 +21,7 @@ module TRUSTED-PERFORM-ADD-BOARD-MEMBER
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -39,7 +39,7 @@ module TRUSTED-PERFORM-ADD-BOARD-MEMBER
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -84,7 +84,7 @@ module PROOF-PERFORM-ADD-BOARD-MEMBER
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -102,7 +102,7 @@ module PROOF-PERFORM-ADD-BOARD-MEMBER
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
index 4b7bad098..a703aa349 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
@@ -17,7 +17,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-1
             (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -72,7 +72,7 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -90,7 +90,7 @@ module PROOF-PERFORM-ADD-PROPOSER-1
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
index e62d02850..338c3a005 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-3
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -92,7 +92,7 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -110,7 +110,7 @@ module PROOF-PERFORM-ADD-PROPOSER-3
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
index 026e356f8..4d1c14423 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-5
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -92,7 +92,7 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -110,7 +110,7 @@ module PROOF-PERFORM-ADD-PROPOSER-5
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
index 25db25a01..e1ec6b9d6 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-7
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -92,7 +92,7 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -110,7 +110,7 @@ module PROOF-PERFORM-ADD-PROPOSER-7
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
index 939a48ea1..1fc6e6afc 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-8
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-8
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -91,7 +91,7 @@ module PROOF-PERFORM-ADD-PROPOSER-8
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -109,7 +109,7 @@ module PROOF-PERFORM-ADD-PROPOSER-8
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
index 61e5bda20..b301ee389 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
@@ -21,7 +21,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-9
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -39,7 +39,7 @@ module TRUSTED-PERFORM-ADD-PROPOSER-9
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -85,7 +85,7 @@ module PROOF-PERFORM-ADD-PROPOSER-9
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -103,7 +103,7 @@ module PROOF-PERFORM-ADD-PROPOSER-9
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
index b5322290a..8d667c3fc 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
@@ -14,7 +14,7 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             UserIdToRole:Map,
             OldQuorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -32,7 +32,7 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             u(NewQuorum),
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -69,7 +69,7 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             UserIdToRole:Map,
             OldQuorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -87,7 +87,7 @@ module TRUSTED-PERFORM-CHANGE-QUORUM
             OldQuorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
@@ -128,7 +128,7 @@ module PROOF-PERFORM-CHANGE-QUORUM
             UserIdToRole:Map,
             OldQuorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -146,7 +146,7 @@ module PROOF-PERFORM-CHANGE-QUORUM
             u(NewQuorum),
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -182,7 +182,7 @@ module PROOF-PERFORM-CHANGE-QUORUM
             UserIdToRole:Map,
             OldQuorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -200,7 +200,7 @@ module PROOF-PERFORM-CHANGE-QUORUM
             OldQuorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
index ab0e1e43d..011e6646a 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
@@ -14,7 +14,7 @@ module TRUSTED-PERFORM-NOTHING
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -72,7 +72,7 @@ module PROOF-PERFORM-NOTHING
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
index c9cf9bc63..9ebfa1838 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-1.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-REMOVE-USER-1
             u(Quorum),
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -95,7 +95,7 @@ module PROOF-PERFORM-REMOVE-USER-1
             (UserId |-> BoardMember UserIdToRoleFinal:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -113,7 +113,7 @@ module PROOF-PERFORM-REMOVE-USER-1
             u(Quorum),
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
index 19523700d..c79f2f51f 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-10.k
@@ -21,7 +21,7 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -39,7 +39,7 @@ module TRUSTED-PERFORM-REMOVE-USER-10
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -87,7 +87,7 @@ module PROOF-PERFORM-REMOVE-USER-10
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -105,7 +105,7 @@ module PROOF-PERFORM-REMOVE-USER-10
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
index 51283384d..55eff87de 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-3.k
@@ -17,7 +17,7 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -35,7 +35,7 @@ module TRUSTED-PERFORM-REMOVE-USER-3
             u(Quorum),
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
@@ -76,7 +76,7 @@ module PROOF-PERFORM-REMOVE-USER-3
             (UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -94,7 +94,7 @@ module PROOF-PERFORM-REMOVE-USER-3
             u(Quorum),
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
index e3fea2a9a..fe7c3522b 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-5.k
@@ -24,7 +24,7 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -42,7 +42,7 @@ module TRUSTED-PERFORM-REMOVE-USER-5
             u(Quorum:Int),
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -97,7 +97,7 @@ module PROOF-PERFORM-REMOVE-USER-5
             (UserId |-> UserRole:KItem UserIdToRoleFinal:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -115,7 +115,7 @@ module PROOF-PERFORM-REMOVE-USER-5
             u(Quorum:Int),
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
index 7413bc6d8..be42091aa 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-7.k
@@ -17,7 +17,7 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -35,7 +35,7 @@ module TRUSTED-PERFORM-REMOVE-USER-7
             u(Quorum:Int),
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
@@ -75,7 +75,7 @@ module PROOF-PERFORM-REMOVE-USER-7
             (UserId |-> UserRole:KItem _UserIdToRole:Map) #as UserIdToRole:Map,
             u(Quorum:Int),
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             _PerformedActions:List)
       </T>
@@ -93,7 +93,7 @@ module PROOF-PERFORM-REMOVE-USER-7
             u(Quorum:Int),
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ?_PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
index 0ea3bf3df..7e3148843 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-remove-user-9.k
@@ -21,7 +21,7 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -39,7 +39,7 @@ module TRUSTED-PERFORM-REMOVE-USER-9
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -89,7 +89,7 @@ module PROOF-PERFORM-REMOVE-USER-9
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -107,7 +107,7 @@ module PROOF-PERFORM-REMOVE-USER-9
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
index 3df8955ca..202ede1e1 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-call.k
@@ -18,7 +18,7 @@ module TRUSTED-PERFORM-S-C-CALL
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -36,7 +36,7 @@ module TRUSTED-PERFORM-S-C-CALL
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -72,7 +72,7 @@ module PROOF-PERFORM-S-C-CALL
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -90,7 +90,7 @@ module PROOF-PERFORM-S-C-CALL
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
index c609dc217..e4cbcb7b7 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-s-c-deploy.k
@@ -18,7 +18,7 @@ module TRUSTED-PERFORM-S-C-DEPLOY
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -36,7 +36,7 @@ module TRUSTED-PERFORM-S-C-DEPLOY
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -72,7 +72,7 @@ module PROOF-PERFORM-S-C-DEPLOY
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -90,7 +90,7 @@ module PROOF-PERFORM-S-C-DEPLOY
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
index a58304288..d35fb710b 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-send-egld.k
@@ -14,7 +14,7 @@ module TRUSTED-PERFORM-SEND-EGLD
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -32,7 +32,7 @@ module TRUSTED-PERFORM-SEND-EGLD
             Quorum,
             ActionState,
             ?_Variables:Map,
-            Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
@@ -64,7 +64,7 @@ module PROOF-PERFORM-SEND-EGLD
             UserIdToRole:Map,
             Quorum:Usize,
             ActionState:ActionStateCell,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress:Address,
             PerformedActions:List)
       </T>
@@ -82,7 +82,7 @@ module PROOF-PERFORM-SEND-EGLD
             Quorum,
             ActionState,
             ?_Variables:Map,
-            .List, // TODO: Stack:List,
+            Stack:Stack,
             CallerAddress,
             ListItem(Action) PerformedActions:List)
       </T>
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index fe484105c..7fcb525e4 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -266,11 +266,8 @@ module PSEUDOCODE-INSTRUCTIONS
       => runInstruction(I) ~> runPseudoCode(Is)
 
   rule  <k> error ~> (runPseudoCode(_) => .K) ...</k>
-  //       <stack> ListItem(_) ... </stack>
-  // rule  <k> error ~> (runPseudoCode(_) => .K) ...</k>
-  //       <stack> .List </stack>
   rule  <k> error => .K </k>
-        <stack> .List </stack>
+        <stack> .stack </stack>
 
   rule runInstruction(E:Expression;) => evaluate(E)
   rule (evaluate(E:Expression) => .K) ~> runInstruction(_)
@@ -410,6 +407,7 @@ module PSEUDOCODE-EXPRESSION
 endmodule
 
 module PSEUDOCODE-COMMON
+  imports MAP
   imports PSEUDOCODE-SYNTAX
 
   syntax KResult ::= Value
@@ -427,6 +425,9 @@ module PSEUDOCODE-COMMON
   syntax KItem ::= "removeValue"
   rule (E:Expression ~> removeValue) => .K
     requires isKResult(E)
+
+  syntax Stack ::= ".stack"
+  syntax Stack ::= stack(MultisigStateCell, variables:Map, performedActions:List, next:Stack)
 endmodule
 
 module PSEUDOCODE-DETAILS
@@ -498,8 +499,6 @@ module PSEUDOCODE-FUNCTIONS
   syntax KItem ::= call(Expression)
   syntax KItem ::= Expression
 
-  syntax Stack ::= stackEntry(MultisigStateCell, variables:Map, performedActions:List)
-
   context evaluate(_:FunctionTag(
           {HOLE => evaluateAc(HOLE)}:>ArgumentCSV
       ))
@@ -519,7 +518,7 @@ module PSEUDOCODE-FUNCTIONS
           S:MultisigStateCell
           <pseudocode-state>
             <variables> V:Map => .Map </variables>
-            <stack> (.List => ListItem(stackEntry(S, V, Log))) ... </stack>
+            <stack> Stack:Stack => stack(S, V, Log, Stack) </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
           <log>
@@ -532,8 +531,9 @@ module PSEUDOCODE-FUNCTIONS
 
   rule  <k> E:Expression ~> (popContext => .K) ... </k>
         <variables> _ => V </variables>
-        <stack> (ListItem(stackEntry(_, V:Map, _)) => .List) ... </stack>
+        <stack> stack(_, V:Map, _, Stack:Stack) => Stack </stack>
     requires isKResult(E)
+    [label(xyzzy)]
 
   rule  <k> (E:Expression ~> evaluateReturnValue) => evaluate(E) ... </k>
     requires isKResult(E)
@@ -543,7 +543,7 @@ module PSEUDOCODE-FUNCTIONS
           (_ => S)
           <pseudocode-state>
             <variables> _ => V </variables>
-            <stack> (ListItem(stackEntry(S:MultisigStateCell, V:Map, Log:List)) => .List) ... </stack>
+            <stack> stack(S:MultisigStateCell, V:Map, Log:List, Stack:Stack) => Stack </stack>
           </pseudocode-state>
           _:ExternalCallEnvCell
           <log>
@@ -1232,6 +1232,7 @@ module PSEUDOCODE-CONFIGURATION
   imports MAP
 
   imports PSEUDOCODE-SYNTAX
+  imports PSEUDOCODE-COMMON
 
   syntax KItem ::= "uninitialized"
 
@@ -1263,7 +1264,7 @@ module PSEUDOCODE-CONFIGURATION
           </multisig-state>
           <pseudocode-state>
             <variables>.Map</variables>
-            <stack> .List </stack>
+            <stack> .stack </stack>
           </pseudocode-state>
           <external-call-env>
             <caller-address>uninitialized</caller-address>
@@ -1300,7 +1301,7 @@ module PSEUDOCODE-CONFIGURATION
         </multisig-state>
         <pseudocode-state>
           <variables>.Map</variables>
-          <stack> .List </stack>
+          <stack> .stack </stack>
         </pseudocode-state>
         <external-call-env>
           <caller-address>uninitialized</caller-address>

From 3f2eedf0d9a55bda4e42f9a5099a6e48bc0a0fe2 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Wed, 14 Apr 2021 02:53:26 +0300
Subject: [PATCH 26/37] Proof for the perform action endpoint checks

---
 multisig/kompile_tool/kprove.sh               | 11 ++-
 multisig/proof.bzl                            |  2 +-
 .../proof/functions/BUILD                     | 46 +++++++++++
 ...oof-perform-action-endpoint-fragment-New.k | 66 ++++++++++++++++
 ...of-perform-action-endpoint-fragment-None.k | 65 ++++++++++++++++
 ...-endpoint-fragment-no-quorum-has-signers.k | 72 +++++++++++++++++
 ...n-endpoint-fragment-no-quorum-no-signers.k | 73 ++++++++++++++++++
 ...n-endpoint-fragment-performs-has-signers.k | 76 ++++++++++++++++++
 ...on-endpoint-fragment-performs-no-signers.k | 77 +++++++++++++++++++
 9 files changed, 483 insertions(+), 5 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k

diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
index fcd25249c..22c4e0d63 100755
--- a/multisig/kompile_tool/kprove.sh
+++ b/multisig/kompile_tool/kprove.sh
@@ -13,7 +13,7 @@ trap 'rm -rf -- "$TMP_DIR"' EXIT
 ORIGINAL_FILE=$1
 shift
 
-PROOF_FILE=$1
+PROOF_FILE=$(realpath $1)
 shift
 
 MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
@@ -23,8 +23,8 @@ chmod -R a+w $TMP_DIR/*
 
 KOMPILE_TOOL_DIR=kompile_tool
 
-KPROVE=$KOMPILE_TOOL_DIR/k/bin/kprove
-REPL_SCRIPT=$KOMPILE_TOOL_DIR/kast.kscript
+KPROVE=$(realpath $KOMPILE_TOOL_DIR/k/bin/kprove)
+REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
 BACKEND_COMMAND="kore-exec"
 if [ $# -eq 0 ]; then
@@ -38,8 +38,11 @@ else
   fi
 fi
 
+cd $TMP_DIR
+
 $KPROVE \
   --haskell-backend-command "$BACKEND_COMMAND --smt-timeout 4000" \
-  --directory "$TMP_DIR" \
   --spec-module "$MODULE_NAME" \
   "$PROOF_FILE"
+
+#  --directory "$TMP_DIR" \
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index ff4d9d727..79e32935a 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -132,7 +132,7 @@ def _merge_trusted(input_file, trusted_attr, kmerge, actions, merged_file):
   actions.run(
       inputs=depset([input_file] + all_trusted),
       outputs=[merged_file],
-      arguments=[merged_file.path] + [s.path for s in all_trusted] + [input_file.path],
+      arguments=[merged_file.path, input_file.path] + [s.path for s in all_trusted],
       progress_message="Preparing %s" % input_file.path,
       executable=kmerge)
 
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index d2d5a7acb..2a3a9c259 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -9,6 +9,52 @@ kompile(
   ],
 )
 
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-New",
+  srcs = ["proof-perform-action-endpoint-fragment-New.k"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-None",
+  srcs = ["proof-perform-action-endpoint-fragment-None.k"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-no-quorum-no-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
+  trusted = ["trusted-count-can-sign"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-no-quorum-has-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
+  trusted = ["trusted-count-can-sign"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-performs-no-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-performs-no-signers.k"],
+  trusted = ["trusted-count-can-sign"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-fragment-performs-has-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-performs-has-signers.k"],
+  trusted = ["trusted-count-can-sign"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
 kprove_test(
   name = "proof-perform-action-id-remove-user-BoardMember",
   srcs = ["proof-perform-action-id-remove-user-BoardMember.k"],
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-New.k
new file mode 100644
index 000000000..99bcbbb1e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-New.k
@@ -0,0 +1,66 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> u(0)
+                caller_role |-> None,
+              PerformedActions:List
+              )
+        </TT></T>
+    requires true
+        andBool notBool CallerAddress in_keys(AddressToUserId)
+        andBool notBool u(0) in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-None.k
new file mode 100644
index 000000000..6e3755d84
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-None.k
@@ -0,0 +1,65 @@
+//@ proof
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NONE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> None,
+              PerformedActions:List
+              )
+        </TT></T>
+    requires true
+        andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
new file mode 100644
index 000000000..23bbc69d3
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              (ActionId |-> SignerIds:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> Role,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
+
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum >Int countCanSignFunction(SignerIds, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k
new file mode 100644
index 000000000..d131eab6a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k
@@ -0,0 +1,73 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> Role,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
+
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool notBool ActionId in_keys(ActionSigners)
+        andBool Quorum >Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k
new file mode 100644
index 000000000..7abd02795
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              (ActionId |-> SignerIds:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runPseudoCode(
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> Role,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
+
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction(SignerIds, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k
new file mode 100644
index 000000000..75a40fa4b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k
@@ -0,0 +1,77 @@
+//@ proof
+require "trusted-count-can-sign.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-NO-SIGNERS
+  imports TRUSTED-COUNT-CAN-SIGN
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-NO-SIGNERS
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> runPseudoCode(
+                  caller_address = getCaller();
+                  caller_id = getUserId(caller_address);
+                  caller_role = getUserIdToRole(caller_id);
+                  require(userRoleCanPerformAction(caller_role));
+                  require(quorumReached(ActionId:Usize));
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runPseudoCode(
+                  performActionFromId(ActionId);
+              )
+              ~> K:K
+          </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> Role,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
+
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool notBool ActionId in_keys(ActionSigners)
+        andBool Quorum ==Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule

From bed9e579ddc373a5e86931fc31f4264667b5e242 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Wed, 14 Apr 2021 18:35:50 +0300
Subject: [PATCH 27/37] Fix proofs and cleanup

---
 .../proof/functions/BUILD                     |  10 +-
 ...form-action-add-board-member-BoardMember.k |   1 +
 ...roof-perform-action-add-board-member-New.k |   1 +
 ...oof-perform-action-add-board-member-None.k |   1 +
 ...perform-action-add-board-member-Proposer.k |   1 +
 ...ction-add-proposer-BoardMember-no-quorum.k |   1 +
 ...-perform-action-add-proposer-BoardMember.k |   1 +
 .../proof-perform-action-add-proposer-New.k   |   1 +
 .../proof-perform-action-add-proposer-None.k  |   1 +
 ...oof-perform-action-add-proposer-Proposer.k |   1 +
 ...m-action-id-add-board-member-BoardMember.k |   5 +-
 ...f-perform-action-id-add-board-member-New.k |   5 +-
 ...-perform-action-id-add-board-member-None.k |   8 +-
 ...form-action-id-add-board-member-Proposer.k |   8 +-
 ...on-id-add-proposer-BoardMember-no-quorum.k |  19 ++--
 ...rform-action-id-add-proposer-BoardMember.k |   8 +-
 ...proof-perform-action-id-add-proposer-New.k |   8 +-
 ...roof-perform-action-id-add-proposer-None.k |   8 +-
 ...-perform-action-id-add-proposer-Proposer.k |   8 +-
 ...erform-action-id-change-quorum-no-quorum.k |   9 +-
 .../proof-perform-action-id-change-quorum.k   |   6 +-
 ...ction-id-id-add-board-member-BoardMember.k |  95 ----------------
 ...erform-action-id-id-add-board-member-New.k | 102 -----------------
 ...rform-action-id-id-add-board-member-None.k |  97 -----------------
 ...m-action-id-id-add-board-member-Proposer.k |  95 ----------------
 ...id-id-add-proposer-BoardMember-no-quorum.k |  97 -----------------
 ...rm-action-id-id-add-proposer-BoardMember.k |  97 -----------------
 ...of-perform-action-id-id-add-proposer-New.k | 103 ------------------
 ...f-perform-action-id-id-add-proposer-None.k |  98 -----------------
 ...rform-action-id-id-add-proposer-Proposer.k |  96 ----------------
 ...orm-action-id-id-change-quorum-no-quorum.k |  92 ----------------
 ...proof-perform-action-id-id-change-quorum.k |  92 ----------------
 .../proof-perform-action-id-id-nothing.k      |   1 -
 ...on-id-id-remove-user-BoardMember-too-few.k |   1 -
 ...orm-action-id-id-remove-user-BoardMember.k |   1 -
 ...oof-perform-action-id-id-remove-user-New.k |   1 -
 ...of-perform-action-id-id-remove-user-None.k |   1 -
 ...n-id-id-remove-user-Proposer-nobody-left.k |   1 -
 ...erform-action-id-id-remove-user-Proposer.k |   1 -
 .../proof-perform-action-id-id-sc-call.k      |   1 -
 .../proof-perform-action-id-id-sc-deploy.k    |   1 -
 .../proof-perform-action-id-id-send-egld.k    |   1 -
 .../proof-perform-action-id-nothing.k         |  10 +-
 ...ction-id-remove-user-BoardMember-too-few.k |  15 +--
 ...erform-action-id-remove-user-BoardMember.k |   8 +-
 .../proof-perform-action-id-remove-user-New.k |   8 +-
 ...proof-perform-action-id-remove-user-None.k |   8 +-
 ...tion-id-remove-user-Proposer-nobody-left.k |  15 +--
 ...f-perform-action-id-remove-user-Proposer.k |   8 +-
 .../proof-perform-action-id-sc-deploy.k       |   6 +-
 .../proof-perform-action-id-send-egld.k       |   6 +-
 .../functions/proof-perform-action-nothing.k  |   2 +-
 ...m-action-remove-user-BoardMember-too-few.k |   1 +
 ...f-perform-action-remove-user-BoardMember.k |   1 +
 .../proof-perform-action-remove-user-New.k    |   1 +
 .../proof-perform-action-remove-user-None.k   |   1 +
 ...-action-remove-user-Proposer-nobody-left.k |   1 +
 ...roof-perform-action-remove-user-Proposer.k |   1 +
 .../proof-propose-action-BoardMember.k        |   2 +
 .../functions/proof-propose-action-Proposer.k |   2 +
 60 files changed, 108 insertions(+), 1173 deletions(-)
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k

diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 2a3a9c259..30d0c8af1 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -36,7 +36,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
@@ -52,7 +52,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-performs-has-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
@@ -106,6 +106,7 @@ kprove_test(
 kprove_test(
   name = "proof-perform-action-id-change-quorum",
   srcs = ["proof-perform-action-id-change-quorum.k"],
+  trusted = [":trusted-perform-action-change-quorum"],
   semantics = ":functions-execute",
   timeout = "long",
 )
@@ -113,6 +114,7 @@ kprove_test(
 kprove_test(
   name = "proof-perform-action-id-change-quorum-no-quorum",
   srcs = ["proof-perform-action-id-change-quorum-no-quorum.k"],
+  trusted = [":trusted-perform-action-change-quorum-no-quorum"],
   semantics = ":functions-execute",
   timeout = "long",
 )
@@ -469,7 +471,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
@@ -519,7 +521,7 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
 )
 
 kprove_test(
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
index 0a88da1e7..6cfaaf94d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-BoardMember.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
 // module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
index 4e7d81ff6..b2ee711a8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-New.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
 // module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
 //@ end
 
+  imports EXECUTION-PROOF-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
index 5c2294f91..983d3399f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-None.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
 // module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
index 8f67df186..460ff47f8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-board-member-Proposer.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
 // module TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
index 0151cb8a8..16619666b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember-no-quorum.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
 // module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
index 51dfd972c..ca20a3a23 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-BoardMember.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
 // module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
index 8875c26ca..4eb8a389c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-New.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NEW
 // module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NEW
 //@ end
 
+  imports EXECUTION-PROOF-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
index 06b77406f..7f264ff6d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-None.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-NONE
 // module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
index 565f34f93..764a83197 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-add-proposer-Proposer.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
 // module TRUSTED-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
index cff5fda1f..25065335b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-BoardMember.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-action-add-board-member-boardmember.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-BOARDMEMBER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
index b7af72d9e..ada782534 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-New.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-New.k"  //@ Bazel remove
+require "trusted-perform-action-add-board-member-new.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NEW
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NEW
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
index 1c4e10cef..77a3a0dff 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-None.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-None.k"  //@ Bazel remove
+require "trusted-perform-action-add-board-member-none.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-NONE
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
index da5a79086..7e21661e0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-board-member-Proposer.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+require "trusted-perform-action-add-board-member-proposer.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ADD-BOARD-MEMBER-PROPOSER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
index 4a8767e1c..ff114239b 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember-no-quorum.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-action-add-proposer-boardmember-no-quorum.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -22,7 +23,7 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
               <board-state>
                 <num-board-members>u(NumBoardMembers:Int)</num-board-members>
                 <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
+                <user-roles>(UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
                 <quorum>u(Quorum:Int)</quorum>
               </board-state>
               <action-state>
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
@@ -62,9 +60,9 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
                 <address-to-user-id>AddressToUserId</address-to-user-id>
               </users>
               <board-state>
-                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
-                <num-proposers>u(NumProposers +Int 1)</num-proposers>
-                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
+                <num-proposers>u(NumProposers)</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
                 <quorum>u(Quorum)</quorum>
               </board-state>
               <action-state>
@@ -82,6 +80,9 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
index 3b39ca513..e7eb8b39f 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-BoardMember.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-action-add-proposer-boardmember.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ADD-PROPOSER-BOARDMEMBER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
index fb1c50f39..a3f696807 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-New.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-New.k"  //@ Bazel remove
+require "trusted-perform-action-add-proposer-new.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NEW
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
 //@ end
 
+  imports EXECUTION-PROOF-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
index d9cde7d52..f675407e1 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-None.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-None.k"  //@ Bazel remove
+require "trusted-perform-action-add-proposer-none.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-PERFORM-ACTION-ADD-PROPOSER-NONE
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
index 8f3160587..d801676b8 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-add-proposer-Proposer.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+require "trusted-perform-action-add-proposer-proposer.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ADD-PROPOSER-PROPOSER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
index 368b95241..06387b767 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum-no-quorum.k
@@ -1,5 +1,8 @@
 //@ proof
+require "trusted-perform-action-change-quorum-no-quorum.k"  //@ Bazel remove
+
 module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-CHANGE-QUORUM-NO-QUORUM
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
 //@ end
@@ -43,9 +46,6 @@ module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
@@ -79,6 +79,9 @@ module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
index c3d45a19c..00a2ebb57 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-change-quorum.k
@@ -1,5 +1,8 @@
 //@ proof
+require "trusted-perform-action-change-quorum.k"  //@ Bazel remove
+
 module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-ACTION-CHANGE-QUORUM
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM
 //@ end
@@ -43,9 +46,6 @@ module PROOF-PERFORM-ACTION-ID-CHANGE-QUORUM
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
deleted file mode 100644
index fbd1e63d1..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-BoardMember.k
+++ /dev/null
@@ -1,95 +0,0 @@
-//@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-BOARDMEMBER
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddBoardMember(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>NumBoardMembers:Usize</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>(UserId |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
-                <quorum>Quorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>NumBoardMembers</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserIdToRole</user-roles>
-                <quorum>Quorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
deleted file mode 100644
index 1525fefde..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-New.k
+++ /dev/null
@@ -1,102 +0,0 @@
-//@ proof
-require "trusted-change-user-role-New.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NEW
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddBoardMember(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>u(NumUsers:Int)</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>Quorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>u(NumUsers +Int 1)</num-users>
-                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
-                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>u(NumUsers +Int 1) |-> BoardMember UserIdToRole</user-roles>
-                <quorum>Quorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-
-      andBool NumUsers >=Int 0
-      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
-      // someting to map values to keys.
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
-
-      andBool notBool UserAddress in_keys(AddressToUserId)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
deleted file mode 100644
index 3284d347a..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-None.k
+++ /dev/null
@@ -1,97 +0,0 @@
-//@ proof
-require "trusted-change-user-role-None.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-NONE
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddBoardMember(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>Quorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserId |-> BoardMember UserIdToRole</user-roles>
-                <quorum>Quorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-
-      andBool notBool UserId in_keys(UserIdToRole)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
deleted file mode 100644
index 8a92f0f4d..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-board-member-Proposer.k
+++ /dev/null
@@ -1,95 +0,0 @@
-//@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-PROPOSER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-BOARD-MEMBER-PROPOSER
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddBoardMember(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
-                <quorum>Quorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers +Int 1)</num-board-members>
-                <num-proposers>u(NumProposers -Int 1)</num-proposers>
-                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
-                <quorum>Quorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
deleted file mode 100644
index ccd596a8b..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember-no-quorum.k
+++ /dev/null
@@ -1,97 +0,0 @@
-//@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddProposer(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum:Int)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> error ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
-                <num-proposers>u(NumProposers +Int 1)</num-proposers>
-                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-
-      andBool Quorum ==Int NumBoardMembers
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
deleted file mode 100644
index 7214ce4dd..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-BoardMember.k
+++ /dev/null
@@ -1,97 +0,0 @@
-//@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-BOARDMEMBER
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddProposer(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserId |-> BoardMember UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum:Int)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
-                <num-proposers>u(NumProposers +Int 1)</num-proposers>
-                <user-roles>UserId |-> Proposer UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-
-      andBool Quorum <=Int NumBoardMembers -Int 1
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
deleted file mode 100644
index 9788385b0..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-New.k
+++ /dev/null
@@ -1,103 +0,0 @@
-//@ proof
-require "trusted-change-user-role-New.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NEW
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddProposer(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>u(NumUsers:Int)</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum:Int)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>u(NumUsers +Int 1)</num-users>
-                <user-id-to-address>u(NumUsers +Int 1) |-> UserAddress UserIdToAddress</user-id-to-address>
-                <address-to-user-id>UserAddress |-> u(NumUsers +Int 1) AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>u(NumProposers +Int 1)</num-proposers>
-                <user-roles>u(NumUsers +Int 1) |-> Proposer UserIdToRole</user-roles>
-                <quorum>u(Quorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-
-      andBool NumUsers >=Int 0
-      // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
-      // someting to map values to keys.
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
-      andBool Quorum <=Int NumBoardMembers
-
-      andBool notBool UserAddress in_keys(AddressToUserId)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
deleted file mode 100644
index c928962a2..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-None.k
+++ /dev/null
@@ -1,98 +0,0 @@
-//@ proof
-require "trusted-change-user-role-None.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-NONE
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddProposer(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum:Int)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>u(NumProposers +Int 1)</num-proposers>
-                <user-roles>UserId |-> Proposer UserIdToRole</user-roles>
-                <quorum>u(Quorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-      andBool Quorum <=Int NumBoardMembers
-
-      andBool notBool UserId in_keys(UserIdToRole)
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
deleted file mode 100644
index 6e49f5fc7..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-add-proposer-Proposer.k
+++ /dev/null
@@ -1,96 +0,0 @@
-//@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-ID-ADD-PROPOSER-PROPOSER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-ADD-PROPOSER-PROPOSER
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  AddProposer(UserAddress:Address) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>(UserAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>(UserId |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
-                <quorum>u(Quorum:Int)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserIdToRole</user-roles>
-                <quorum>u(Quorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool addressToUserIdInvariant(AddressToUserId)
-      andBool Quorum <=Int NumBoardMembers
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
deleted file mode 100644
index aa72dc27a..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum-no-quorum.k
+++ /dev/null
@@ -1,92 +0,0 @@
-//@ proof
-module PROOF-PERFORM-ACTION-ID-ID-CHANGE-QUORUM-NO-QUORUM
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-CHANGE-QUORUM-NO-QUORUM
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>OldQuorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> error ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserIdToRole</user-roles>
-                <quorum>OldQuorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool NewQuorum >Int NumBoardMembers
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
deleted file mode 100644
index 4de4905ac..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-change-quorum.k
+++ /dev/null
@@ -1,92 +0,0 @@
-//@ proof
-module PROOF-PERFORM-ACTION-ID-ID-CHANGE-QUORUM
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ID-ID-CHANGE-QUORUM
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(
-                  ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
-              )) ~> K:K
-          </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers:Int)</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>_OldQuorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionId |-> 
-                      ActionData:Map
-                  </action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserIdToRole</user-roles>
-                <quorum>u(NewQuorum)</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-          </state>
-      </TT> </T>
-    requires true
-      andBool isKResult(Action)
-      andBool NewQuorum <=Int NumBoardMembers
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
deleted file mode 100644
index 519c04227..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-nothing.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-nothing.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
deleted file mode 100644
index c5cc5bd21..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember-too-few.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-BoardMember-too-few.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
deleted file mode 100644
index c6345d8ed..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-BoardMember.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-BoardMember.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
deleted file mode 100644
index 860083509..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-New.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-New.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
deleted file mode 100644
index 71ca326b1..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-None.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-None.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
deleted file mode 100644
index f1bf464db..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer-nobody-left.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-Proposer-nobody-left.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
deleted file mode 100644
index 63c357c19..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-remove-user-Proposer.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-remove-user-Proposer.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
deleted file mode 100644
index c23e798c4..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-call.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-sc-call.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
deleted file mode 100644
index a49c57e29..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-sc-deploy.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-sc-deploy.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k
deleted file mode 100644
index ad8307fa0..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-id-send-egld.k
+++ /dev/null
@@ -1 +0,0 @@
-proof-perform-action-send-egld.k --
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
index 3782cc067..9eaeb5686 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
@@ -1,5 +1,8 @@
 //@ proof
+require "trusted-perform-action-nothing.k"  //@ Bazel remove
+
 module PROOF-PERFORM-ACTION-ID-NOTHING
+  imports TRUSTED-PERFORM-ACTION-NOTHING
 //@ trusted
 // module TRUSTED-PERFORM-NOTHING
 //@ end
@@ -8,7 +11,7 @@ module PROOF-PERFORM-ACTION-ID-NOTHING
 
   claim
       <T> <TT>
-          <k> call(performAction(Nothing:Action)) ~> K:K </k>
+          <k> call(performAction(Nothing #as Action:Action)) ~> K:K </k>
           <state>
             <multisig-state>
               <users>
@@ -40,9 +43,6 @@ module PROOF-PERFORM-ACTION-ID-NOTHING
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
@@ -65,7 +65,7 @@ module PROOF-PERFORM-ACTION-ID-NOTHING
                 <action-last-index>ActionLastIndex</action-last-index>
                 <actions>
                   <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                  <action-signers>ActionSigners</action-signers>
                 </actions>
               </action-state>
             </multisig-state>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
index 93522f3ac..e298275da 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember-too-few.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-boardmember-too-few.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -22,7 +23,7 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
               <board-state>
                 <num-board-members>u(NumBoardMembers:Int)</num-board-members>
                 <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>u(UserId:Int) |-> BoardMember UserIdToRole:Map</user-roles>
+                <user-roles>(u(UserId:Int) |-> BoardMember _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
                 <quorum>u(Quorum:Int)</quorum>
               </board-state>
               <action-state>
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
@@ -62,7 +60,7 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
                 <address-to-user-id>AddressToUserId</address-to-user-id>
               </users>
               <board-state>
-                <num-board-members>u(NumBoardMembers -Int 1)</num-board-members>
+                <num-board-members>u(NumBoardMembers)</num-board-members>
                 <num-proposers>u(NumProposers)</num-proposers>
                 <user-roles>UserIdToRole</user-roles>
                 <quorum>u(Quorum)</quorum>
@@ -82,6 +80,9 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
index 44dd90509..72332bbe7 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-BoardMember.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-boardmember.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
index cd78f0a67..556160c59 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-New.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-New.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-new.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-NEW
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NEW
 //@ end
 
+  imports EXECUTION-PROOF-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NEW
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
index bd2ad7add..15049022c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-None.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-None.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-none.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-NONE
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-NONE
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
index be5d0e826..116774624 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer-nobody-left.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-Proposer-nobody-left.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -22,7 +23,7 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
               <board-state>
                 <num-board-members>u(NumBoardMembers:Int)</num-board-members>
                 <num-proposers>u(NumProposers:Int)</num-proposers>
-                <user-roles>u(UserId:Int) |-> Proposer UserIdToRole:Map</user-roles>
+                <user-roles>(u(UserId:Int) |-> Proposer _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
                 <quorum>u(Quorum:Int)</quorum>
               </board-state>
               <action-state>
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
@@ -63,7 +61,7 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
               </users>
               <board-state>
                 <num-board-members>u(NumBoardMembers)</num-board-members>
-                <num-proposers>u(NumProposers -Int 1)</num-proposers>
+                <num-proposers>u(NumProposers)</num-proposers>
                 <user-roles>UserIdToRole</user-roles>
                 <quorum>u(Quorum)</quorum>
               </board-state>
@@ -82,6 +80,9 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
             <external-call-env>
               <caller-address>CallerAddress</caller-address>
             </external-call-env>
+            <log>
+              <performed-actions>PerformedActions</performed-actions>
+            </log>
           </state>
       </TT> </T>
     requires true
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
index 7b567d622..54135915e 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-remove-user-Proposer.k
@@ -1,12 +1,13 @@
 //@ proof
-require "trusted-change-user-role-Proposer.k"  //@ Bazel remove
+require "trusted-perform-action-remove-user-Proposer.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
@@ -46,9 +47,6 @@ module PROOF-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
index 988e0b3ea..0434b04df 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-sc-deploy.k
@@ -1,5 +1,8 @@
 //@ proof
+require "trusted-perform-action-sc-deploy.k"  //@ Bazel remove
+
 module PROOF-PERFORM-ACTION-ID-SC-DEPLOY
+  imports TRUSTED-PERFORM-ACTION-SC-DEPLOY
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-SC-DEPLOY
 //@ end
@@ -47,9 +50,6 @@ module PROOF-PERFORM-ACTION-ID-SC-DEPLOY
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k
index 16508fc55..5f452cdfb 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-send-egld.k
@@ -1,5 +1,8 @@
 //@ proof
+require "trusted-perform-action-send-egld.k"  //@ Bazel remove
+
 module PROOF-PERFORM-ACTION-ID-SEND-EGLD
+  imports TRUSTED-PERFORM-ACTION-SEND-EGLD
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ID-SEND-EGLD
 //@ end
@@ -46,9 +49,6 @@ module PROOF-PERFORM-ACTION-ID-SEND-EGLD
             <log>
               <performed-actions>PerformedActions:List</performed-actions>
             </log>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
           </state>
       </TT> </T>
       =>
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
index 0016913bf..8034d5cf0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-nothing.k
@@ -1,7 +1,7 @@
 //@ proof
 module PROOF-PERFORM-ACTION-NOTHING
 //@ trusted
-// module TRUSTED-PERFORM-NOTHING
+// module TRUSTED-PERFORM-ACTION-NOTHING
 //@ end
 
   imports PSEUDOCODE
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
index 764488d7f..0ae0fa4a0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember-too-few.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER-TOO-FEW
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
index 5c5b0ef99..694a17d96 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-BoardMember.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-BOARDMEMBER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
index 6ef728d3b..990ff6a71 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-New.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NEW
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-NEW
 //@ end
 
+  imports EXECUTION-PROOF-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
index 1db688d90..9986d8402 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-None.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-NONE
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-NONE
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
index b5fc5c948..54798d18d 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer-nobody-left.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER-NOBODY-LEFT
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
index b27c78a4c..2122c2038 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-remove-user-Proposer.k
@@ -7,6 +7,7 @@ module PROOF-PERFORM-ACTION-REMOVE-USER-PROPOSER
 // module TRUSTED-PERFORM-ACTION-REMOVE-USER-PROPOSER
 //@ end
 
+  imports INVARIANT-HELPERS
   imports PSEUDOCODE
 
   claim
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
index 4c4f9d81d..a0c426f35 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-BoardMember.k
@@ -3,6 +3,8 @@ module PROOF-PROPOSE-ACTION-BOARDMEMBER
 //@ trusted
 // module TRUSTED-PROPOSE-ACTION-BOARDMEMBER
 //@ end
+
+  imports EXECUTION-PROOF-HELPERS
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
diff --git a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
index 8535bf8f3..d20c7e554 100644
--- a/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
+++ b/multisig/protocol-correctness/proof/functions/proof-propose-action-Proposer.k
@@ -3,6 +3,8 @@ module PROOF-PROPOSE-ACTION-PROPOSER
 //@ trusted
 // module TRUSTED-PROPOSE-ACTION-PROPOSER
 //@ end
+
+  imports EXECUTION-PROOF-HELPERS
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>

From 26a673da9aa3f579e26b115bd55acea7c946653a Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 15 Apr 2021 02:07:12 +0300
Subject: [PATCH 28/37] Some of the proofs for perform-action-enpoint

---
 multisig/kompile_tool/kmerge.sh               |   5 +-
 multisig/proof.bzl                            |  11 +-
 .../proof/functions/BUILD                     | 405 +++++++++++++++++-
 .../proof-perform-action-endpoint-New.k       |  60 +++
 .../proof-perform-action-endpoint-None.k      |  59 +++
 ...on-endpoint-add-board-member-BoardMember.k |  74 ++++
 ...orm-action-endpoint-add-board-member-New.k |  79 ++++
 ...rm-action-endpoint-add-board-member-None.k |  74 ++++
 ...ction-endpoint-add-board-member-Proposer.k |  76 ++++
 ...point-add-proposer-BoardMember-no-quorum.k |  75 ++++
 ...action-endpoint-add-proposer-BoardMember.k |  77 ++++
 ...perform-action-endpoint-add-proposer-New.k |  80 ++++
 ...erform-action-endpoint-add-proposer-None.k |  75 ++++
 ...rm-action-endpoint-add-proposer-Proposer.k |  75 ++++
 ...rform-action-endpoint-fragment-performs.k} |  10 +-
 ...m-action-endpoint-no-quorum-has-signers.k} |  33 +-
 ...orm-action-endpoint-no-quorum-no-signers.k |  61 +++
 multisig/protocol-correctness/pseudocode.k    |   9 +-
 18 files changed, 1295 insertions(+), 43 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer.k
 rename multisig/protocol-correctness/proof/functions/{proof-perform-action-endpoint-fragment-performs-no-signers.k => proof-perform-action-endpoint-fragment-performs.k} (89%)
 rename multisig/protocol-correctness/proof/functions/{proof-perform-action-endpoint-fragment-performs-has-signers.k => proof-perform-action-endpoint-no-quorum-has-signers.k} (57%)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k

diff --git a/multisig/kompile_tool/kmerge.sh b/multisig/kompile_tool/kmerge.sh
index 2251ded2d..79dba8962 100755
--- a/multisig/kompile_tool/kmerge.sh
+++ b/multisig/kompile_tool/kmerge.sh
@@ -5,7 +5,10 @@ set -e
 OUTPUT=$1
 shift
 
-echo > $OUTPUT
+FIRST=$1
+shift
+
+cat $FIRST | sed 's/^.*\/\/@ Bazel remove\s*$/\/\/ Removed by Bazel + kmerge./' > $OUTPUT
 
 for f in "$@"
 do
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index 79e32935a..151633981 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -149,6 +149,14 @@ def _kprove_test_impl(ctx):
       merged_file)
 
   output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+  command_parts = [
+      "pushd $(pwd)",
+      "kompile_tool/kprove_tool %s %s %s --debug" % (
+          ctx.attr.semantics[KompileInfo].files[0].short_path,
+          ctx.files.srcs[0].path,
+          merged_file.short_path),
+      "popd",
+  ]
   script_lines = [
       "#!/usr/bin/env bash",
       "",
@@ -156,8 +164,7 @@ def _kprove_test_impl(ctx):
       # 'echo "aaa: $line"',
       # "",
       "echo 'To debug:'",
-      'echo "cd $(pwd)"',
-      "echo kompile_tool/kprove_tool %s %s %s --debug" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path),
+      'echo "%s"' % ("; ".join(command_parts)),
       "kompile_tool/kprove_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
   ]
   ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 30d0c8af1..0463293cb 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -9,6 +9,269 @@ kompile(
   ],
 )
 
+kprove_test(
+  name = "proof-perform-action-endpoint-New",
+  srcs = ["proof-perform-action-endpoint-New.k"],
+  trusted = [":trusted-perform-action-endpoint-fragment-New"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-None",
+  srcs = ["proof-perform-action-endpoint-None.k"],
+  trusted = [":trusted-perform-action-endpoint-fragment-None"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-no-quorum-no-signers",
+  srcs = ["proof-perform-action-endpoint-no-quorum-no-signers.k"],
+  trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-no-signers"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-no-quorum-has-signers",
+  srcs = ["proof-perform-action-endpoint-no-quorum-has-signers.k"],
+  trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-has-signers"],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-BoardMember",
+#   srcs = ["proof-perform-action-endpoint-remove-user-BoardMember.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-BoardMember",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-BoardMember-too-few",
+#   srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-BoardMember-too-few",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-Proposer-nobody-left",
+#   srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-Proposer-nobody-left",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-Proposer",
+#   srcs = ["proof-perform-action-endpoint-remove-user-Proposer.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-Proposer",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-None",
+#   srcs = ["proof-perform-action-endpoint-remove-user-None.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-None",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-remove-user-New",
+#   srcs = ["proof-perform-action-endpoint-remove-user-New.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-remove-user-New",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-change-quorum",
+#   srcs = ["proof-perform-action-endpoint-change-quorum.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-change-quorum",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-change-quorum-no-quorum",
+#   srcs = ["proof-perform-action-endpoint-change-quorum-no-quorum.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-change-quorum-no-quorum",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-BoardMember-no-quorum",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-BoardMember",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-Proposer",
+  srcs = ["proof-perform-action-endpoint-add-proposer-Proposer.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-Proposer",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-New",
+  srcs = ["proof-perform-action-endpoint-add-proposer-New.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-New",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-None",
+  srcs = ["proof-perform-action-endpoint-add-proposer-None.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-None",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-New",
+  srcs = ["proof-perform-action-endpoint-add-board-member-New.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-New",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-endpoint-add-board-member-BoardMember.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-BoardMember",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-Proposer",
+  srcs = ["proof-perform-action-endpoint-add-board-member-Proposer.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-Proposer",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-None",
+  srcs = ["proof-perform-action-endpoint-add-board-member-None.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-None",
+  ],
+  semantics = ":functions-execute",
+  timeout = "long",
+)
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-send-egld",
+#   srcs = ["proof-perform-action-endpoint-send-egld.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-send-egld",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-sc-call",
+#   srcs = ["proof-perform-action-endpoint-sc-call.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-sc-call",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-sc-deploy",
+#   srcs = ["proof-perform-action-endpoint-sc-deploy.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-sc-deploy",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint-nothing",
+#   srcs = ["proof-perform-action-endpoint-nothing.k"],
+#   trusted = [
+#       ":trusted-perform-action-endpoint-fragment-performs",
+#       ":trusted-perform-action-id-nothing",
+#   ],
+#   semantics = ":functions-execute",
+#   timeout = "long",
+# )
+
 kprove_test(
   name = "proof-perform-action-endpoint-fragment-New",
   srcs = ["proof-perform-action-endpoint-fragment-New.k"],
@@ -40,16 +303,8 @@ kprove_test(
 )
 
 kprove_test(
-  name = "proof-perform-action-endpoint-fragment-performs-no-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-performs-no-signers.k"],
-  trusted = ["trusted-count-can-sign"],
-  semantics = ":functions-execute",
-  timeout = "long",
-)
-
-kprove_test(
-  name = "proof-perform-action-endpoint-fragment-performs-has-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-performs-has-signers.k"],
+  name = "proof-perform-action-endpoint-fragment-performs",
+  srcs = ["proof-perform-action-endpoint-fragment-performs.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "eternal",
@@ -819,3 +1074,133 @@ ktrusted(
   name = "trusted-perform-action-nothing",
   srcs = ["proof-perform-action-nothing.k"],
 )
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-fragment-New",
+  srcs = ["proof-perform-action-endpoint-fragment-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-fragment-None",
+  srcs = ["proof-perform-action-endpoint-fragment-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-fragment-no-quorum-no-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-fragment-no-quorum-has-signers",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-fragment-performs",
+  srcs = ["proof-perform-action-endpoint-fragment-performs.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-BoardMember",
+  srcs = ["proof-perform-action-id-remove-user-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-id-remove-user-BoardMember-too-few.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-id-remove-user-Proposer-nobody-left.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-Proposer",
+  srcs = ["proof-perform-action-id-remove-user-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-None",
+  srcs = ["proof-perform-action-id-remove-user-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-remove-user-New",
+  srcs = ["proof-perform-action-id-remove-user-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-change-quorum",
+  srcs = ["proof-perform-action-id-change-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-id-change-quorum-no-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-id-add-proposer-BoardMember-no-quorum.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-id-add-proposer-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-proposer-Proposer",
+  srcs = ["proof-perform-action-id-add-proposer-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-proposer-New",
+  srcs = ["proof-perform-action-id-add-proposer-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-proposer-None",
+  srcs = ["proof-perform-action-id-add-proposer-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-board-member-New",
+  srcs = ["proof-perform-action-id-add-board-member-New.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-id-add-board-member-BoardMember.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-board-member-Proposer",
+  srcs = ["proof-perform-action-id-add-board-member-Proposer.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-add-board-member-None",
+  srcs = ["proof-perform-action-id-add-board-member-None.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-send-egld",
+  srcs = ["proof-perform-action-id-send-egld.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-sc-call",
+  srcs = ["proof-perform-action-id-sc-call.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-sc-deploy",
+  srcs = ["proof-perform-action-id-sc-deploy.k"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-id-nothing",
+  srcs = ["proof-perform-action-id-nothing.k"],
+)
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
new file mode 100644
index 000000000..3eb99c935
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
@@ -0,0 +1,60 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-new.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> u(0)
+                caller_role |-> None,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool notBool CallerAddress in_keys(AddressToUserId)
+        andBool notBool u(0) in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
new file mode 100644
index 000000000..44ed2822e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
@@ -0,0 +1,59 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-none.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NONE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> None,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember.k
new file mode 100644
index 000000000..a25a78256
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember.k
@@ -0,0 +1,74 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-New.k
new file mode 100644
index 000000000..802756713
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-New.k
@@ -0,0 +1,79 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              NumProposers,
+              u(NumUsers +Int 1) |-> BoardMember UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // someting to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+        andBool notBool UserAddress in_keys(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-None.k
new file mode 100644
index 000000000..f01d21cee
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-None.k
@@ -0,0 +1,74 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NONE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              NumProposers,
+              UserId |-> BoardMember UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool notBool UserId in_keys(UserIdToRole)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer.k
new file mode 100644
index 000000000..0a768a030
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (UserId |-> Proposer
+                CallerId |-> Role:UserRole
+                UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              u(NumProposers -Int 1),
+              UserId |-> BoardMember
+                CallerId |-> Role:UserRole
+                UserIdToRoleInner:Map,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k
new file mode 100644
index 000000000..25e0a1daa
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum ==Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember.k
new file mode 100644
index 000000000..10e604bda
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember.k
@@ -0,0 +1,77 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers +Int 1),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-New.k
new file mode 100644
index 000000000..4b663377d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-New.k
@@ -0,0 +1,80 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers +Int 1),
+              u(NumUsers +Int 1) |-> Proposer UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // someting to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+        andBool Quorum <=Int NumBoardMembers
+
+        andBool notBool UserAddress in_keys(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-None.k
new file mode 100644
index 000000000..db11f380f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-None.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NONE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers +Int 1),
+              UserId |-> Proposer UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool notBool UserId in_keys(UserIdToRole)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer.k
new file mode 100644
index 000000000..60246d409
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs.k
similarity index 89%
rename from multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k
rename to multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs.k
index 75a40fa4b..e224b59ec 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs.k
@@ -1,12 +1,13 @@
 //@ proof
 require "trusted-count-can-sign.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-NO-SIGNERS
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
   imports TRUSTED-COUNT-CAN-SIGN
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-NO-SIGNERS
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
 //@ end
-  imports FUNCTIONS-EXECUTE
+
+  imports INVARIANT
 
   claim <T><TT>
           <k> runPseudoCode(
@@ -67,8 +68,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-NO-SIGNERS
         andBool actionSignersInvariant(ActionSigners)
 
         andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool notBool ActionId in_keys(ActionSigners)
-        andBool Quorum ==Int 0
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures true
     //@ proof
     //@ trusted
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
similarity index 57%
rename from multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k
rename to multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
index 7abd02795..22ada218c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-performs-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
@@ -1,24 +1,15 @@
 //@ proof
-require "trusted-count-can-sign.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-fragment-no-quorum-no-signers.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
-  imports TRUSTED-COUNT-CAN-SIGN
+module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
 //@ end
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
-          <k> runPseudoCode(
-                  caller_address = getCaller();
-                  caller_id = getUserId(caller_address);
-                  caller_role = getUserIdToRole(caller_id);
-                  require(userRoleCanPerformAction(caller_role));
-                  require(quorumReached(ActionId:Usize));
-                  performActionFromId(ActionId);
-              )
-              ~> K:K
-          </k>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
           invariantStateFull(
               NumUsers:Usize,
               UserIdToAddress:Map,
@@ -29,7 +20,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
               u(Quorum:Int),
               ActionLastIndex:Usize,
               ActionData:Map,
-              (ActionId |-> SignerIds:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              ActionSigners:Map,
               CallerAddress:Address,
               Stack:Stack,
               .Map,
@@ -38,11 +29,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
         </TT></T>
       =>
         <T><TT>
-          <k> runPseudoCode(
-                  performActionFromId(ActionId);
-              )
-              ~> K:K
-          </k>
+          <k> error ~> K:K </k>
           invariantStateFull(
               NumUsers,
               UserIdToAddress,
@@ -63,11 +50,9 @@ module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS-HAS-SIGNERS
               )
         </TT></T>
     requires true
-        andBool userIdToRoleInvariant(UserIdToRole)
-        andBool actionSignersInvariant(ActionSigners)
-
         andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool Quorum <=Int countCanSignFunction(SignerIds, opaque(UserIdToRole))
+        andBool notBool ActionId in_keys(ActionSigners)
+        andBool Quorum >Int 0
     ensures true
     //@ proof
     //@ trusted
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k
new file mode 100644
index 000000000..22ada218c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k
@@ -0,0 +1,61 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-no-quorum-no-signers.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> Role,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool notBool ActionId in_keys(ActionSigners)
+        andBool Quorum >Int 0
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index 7fcb525e4..1a61f36c9 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -533,7 +533,6 @@ module PSEUDOCODE-FUNCTIONS
         <variables> _ => V </variables>
         <stack> stack(_, V:Map, _, Stack:Stack) => Stack </stack>
     requires isKResult(E)
-    [label(xyzzy)]
 
   rule  <k> (E:Expression ~> evaluateReturnValue) => evaluate(E) ... </k>
     requires isKResult(E)
@@ -693,6 +692,7 @@ module PSEUDOCODE-FUNCTIONS
             require(quorumReached(ActionId));
             performActionFromId(ActionId);
       )
+    [label(xyzzy)]
 
   rule call(discardAction(ActionId:Usize))
         => runPseudoCode(
@@ -1207,6 +1207,13 @@ module MAP-UTILS
   rule X:KItem in_keys((Y:KItem |-> _:KItem M:Map) #as _:Map)
         => X ==K Y orBool X in_keys(M)
     [simplification]
+
+  rule M:Map[Key:KItem] orDefault _:KItem => M[Key]
+    requires Key in_keys(M)
+    [simplification]
+  rule M:Map[Key:KItem] orDefault D:KItem => D
+    requires notBool Key in_keys(M)
+    [simplification]
 endmodule
 
 module PSEUDOCODE-MAP-UTILS

From 7b71500c08be0ce836f4d52e71b14ef95fc89d88 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Thu, 15 Apr 2021 20:30:53 +0300
Subject: [PATCH 29/37] Proofs for the perform action endpoint function

---
 multisig/kompile_tool/BUILD                   |  16 +
 multisig/kompile_tool/kmerge.sh               |   1 +
 multisig/kompile_tool/kore.sh                 |  46 +++
 multisig/kompile_tool/kprove-kompile.sh       |  53 +++
 multisig/proof.bzl                            | 203 ++++++++++--
 .../proof/functions/BUILD                     | 309 ++++++------------
 .../proof-perform-action-endpoint-New.k       |   2 +-
 ...-action-endpoint-change-quorum-no-quorum.k |  72 ++++
 ...of-perform-action-endpoint-change-quorum.k |  72 ++++
 ...rm-action-endpoint-no-quorum-has-signers.k |   8 +-
 ...endpoint-remove-user-BoardMember-too-few.k |  78 +++++
 ...-action-endpoint-remove-user-BoardMember.k |  76 +++++
 ...-perform-action-endpoint-remove-user-New.k |  79 +++++
 ...perform-action-endpoint-remove-user-None.k |  76 +++++
 ...ndpoint-remove-user-Proposer-nobody-left.k |  76 +++++
 ...orm-action-endpoint-remove-user-Proposer.k |  76 +++++
 .../proof-perform-action-endpoint-sc-call.k   |  75 +++++
 .../proof-perform-action-endpoint-sc-deploy.k |  75 +++++
 .../proof-perform-action-endpoint-send-egld.k |  74 +++++
 .../proof-perform-action-id-nothing.k         |  91 ------
 20 files changed, 1220 insertions(+), 338 deletions(-)
 create mode 100755 multisig/kompile_tool/kore.sh
 create mode 100755 multisig/kompile_tool/kprove-kompile.sh
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-New.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-None.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-send-egld.k
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k

diff --git a/multisig/kompile_tool/BUILD b/multisig/kompile_tool/BUILD
index 35a835f2c..eda341114 100644
--- a/multisig/kompile_tool/BUILD
+++ b/multisig/kompile_tool/BUILD
@@ -22,6 +22,22 @@ sh_binary(
   visibility = ["//visibility:public"],
 )
 
+sh_binary(
+  name = "kprove_kompile_tool",
+  srcs = ["kprove-kompile.sh"],
+  deps = [":k_release"],
+  data = [":k_release"],
+  visibility = ["//visibility:public"],
+)
+
+sh_binary(
+  name = "kore_tool",
+  srcs = ["kore.sh"],
+  deps = [":k_release"],
+  data = [":k_release"],
+  visibility = ["//visibility:public"],
+)
+
 sh_binary(
   name = "ktrusted_tool",
   srcs = ["make-trusted.py"],
diff --git a/multisig/kompile_tool/kmerge.sh b/multisig/kompile_tool/kmerge.sh
index 79dba8962..bb6785021 100755
--- a/multisig/kompile_tool/kmerge.sh
+++ b/multisig/kompile_tool/kmerge.sh
@@ -9,6 +9,7 @@ FIRST=$1
 shift
 
 cat $FIRST | sed 's/^.*\/\/@ Bazel remove\s*$/\/\/ Removed by Bazel + kmerge./' > $OUTPUT
+echo >> $OUTPUT
 
 for f in "$@"
 do
diff --git a/multisig/kompile_tool/kore.sh b/multisig/kompile_tool/kore.sh
new file mode 100755
index 000000000..cf68168aa
--- /dev/null
+++ b/multisig/kompile_tool/kore.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -e
+
+DEFINITION=$1
+shift
+
+SPEC=$1
+shift
+
+COMMAND=$1
+shift
+
+OUTPUT=$1
+shift
+
+MODULE_NAME=$(cat $COMMAND | sed 's/^.*--module \([^ ]*\) .*$/\1/')
+
+SPEC_MODULE_NAME=$(cat $COMMAND | sed 's/^.*--spec-module \([^ ]*\) .*$/\1/')
+
+KOMPILE_TOOL_DIR=kompile_tool
+
+KORE_EXEC=$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-exec)
+KORE_REPL=$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-repl)
+
+REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
+
+BACKEND_COMMAND="kore-exec"
+if [ $# -eq 0 ]; then
+  BACKEND_COMMAND="kore-exec"
+else
+  if [ "$1" == "--debug" ]; then
+    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
+  else
+    echo "Unknown argument: '$1'"
+    exit 1
+  fi
+fi
+
+$BACKEND_COMMAND \
+    --smt-timeout 4000 \
+    $DEFINITION \
+    --prove $SPEC \
+    --module $MODULE_NAME \
+    --spec-module $SPEC_MODULE_NAME \
+    --output $OUTPUT
diff --git a/multisig/kompile_tool/kprove-kompile.sh b/multisig/kompile_tool/kprove-kompile.sh
new file mode 100755
index 000000000..be4d37101
--- /dev/null
+++ b/multisig/kompile_tool/kprove-kompile.sh
@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+
+set -e
+
+KOMPILE_DIR=`dirname $1`
+shift
+
+ORIGINAL_FILE=$1
+shift
+
+PROOF_FILE=$(realpath $1)
+shift
+
+SPEC_OUTPUT=$1
+shift
+
+DEFINITION_OUTPUT=$1
+shift
+
+COMMAND_OUTPUT=$1
+shift
+
+MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
+
+KOMPILE_TOOL_DIR=kompile_tool
+
+KPROVE=$(realpath $KOMPILE_TOOL_DIR/k/bin/kprove)
+
+TMP_DIR=$(mktemp -d)
+trap 'rm -rf -- "$TMP_DIR"' EXIT
+
+cp -rL $KOMPILE_DIR $TMP_DIR
+chmod -R a+w $TMP_DIR/*
+
+pushd $TMP_DIR
+
+$KPROVE \
+  --spec-module "$MODULE_NAME" \
+  --dry-run \
+  "$PROOF_FILE" > output
+
+SPEC_FILE=$(cat output | grep kore-exec | sed 's/^.*--prove \([^ ]*\) .*$/\1/')
+COMMAND=$(cat output | grep kore-exec)
+
+popd
+
+cp $SPEC_FILE $SPEC_OUTPUT
+
+DEFINITION_FILE=$(dirname $SPEC_FILE)/vdefinition.kore
+
+cp $DEFINITION_FILE $DEFINITION_OUTPUT
+
+echo $COMMAND > $COMMAND_OUTPUT
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index 151633981..f5b1a9e91 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -1,5 +1,6 @@
 KompileInfo = provider(fields=["files"])
 KtrustedInfo = provider(fields=["trusted"])
+KproveInfo = provider(fields=["spec", "definition", "command"])
 
 def _kompile_impl(ctx):
   output_files = [
@@ -136,7 +137,86 @@ def _merge_trusted(input_file, trusted_attr, kmerge, actions, merged_file):
       progress_message="Preparing %s" % input_file.path,
       executable=kmerge)
 
-def _kprove_test_impl(ctx):
+# def _kprove_test_impl(ctx):
+#   if len(ctx.files.srcs) != 1:
+#     fail
+#   merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
+
+#   _merge_trusted(
+#       ctx.files.srcs[0],
+#       ctx.attr.trusted,
+#       ctx.executable.kmerge_tool,
+#       ctx.actions,
+#       merged_file)
+
+#   output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+#   command_parts = [
+#       "pushd $(pwd)",
+#       "kompile_tool/kprove_tool %s %s %s --debug" % (
+#           ctx.attr.semantics[KompileInfo].files[0].short_path,
+#           ctx.files.srcs[0].path,
+#           merged_file.short_path),
+#       "popd",
+#   ]
+#   script_lines = [
+#       "#!/usr/bin/env bash",
+#       "",
+#       # "read line",
+#       # 'echo "aaa: $line"',
+#       # "",
+#       "echo 'To debug:'",
+#       'echo "%s"' % ("; ".join(command_parts)),
+#       "kompile_tool/kprove_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
+#   ]
+#   ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
+#   runfiles = ctx.runfiles(
+#       [merged_file, ctx.executable.kprove_tool]
+#       + ctx.attr.semantics[KompileInfo].files
+#       + ctx.attr.k_distribution[DefaultInfo].files.to_list()
+#       + ctx.attr.debug_script[DefaultInfo].files.to_list()
+#   )
+#   return [
+#       DefaultInfo(
+#           runfiles = runfiles,
+#           executable = output_file,
+#       )
+#   ]
+
+# kprove_test = rule(
+#     implementation = _kprove_test_impl,
+#     attrs = {
+#         "srcs": attr.label_list(allow_files = [".k"]),
+#         "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+#         "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
+#         "kprove_tool": attr.label(
+#             executable = True,
+#             cfg = "exec",
+#             allow_files = True,
+#             default = Label("//kompile_tool:kprove_tool"),
+#         ),
+#         "kmerge_tool": attr.label(
+#             executable = True,
+#             cfg = "exec",
+#             allow_files = True,
+#             default = Label("//kompile_tool:kmerge_tool"),
+#         ),
+#         "k_distribution": attr.label(
+#             executable = False,
+#             cfg = "exec",
+#             allow_files = True,
+#             default = Label("//kompile_tool:k_release"),
+#         ),
+#         "debug_script": attr.label(
+#             executable = False,
+#             cfg = "exec",
+#             allow_files = True,
+#             default = Label("//kompile_tool:kast_script"),
+#         ),
+#     },
+#     test = True,
+# )
+
+def _kprove_kompile_impl(ctx):
   if len(ctx.files.srcs) != 1:
     fail
   merged_file = ctx.actions.declare_file(ctx.label.name + '.k')
@@ -148,56 +228,111 @@ def _kprove_test_impl(ctx):
       ctx.actions,
       merged_file)
 
-  output_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+  output_spec = ctx.actions.declare_file(ctx.label.name + '.spec.kore')
+  output_definition = ctx.actions.declare_file(ctx.label.name + '.definition.kore')
+  output_command = ctx.actions.declare_file(ctx.label.name + '.command')
+  runfiles = depset(
+      [merged_file, ctx.executable.kprove_kompile_tool]
+      + ctx.attr.semantics[KompileInfo].files
+      + ctx.attr.k_distribution[DefaultInfo].files.to_list()
+  )
+  ctx.actions.run(
+      inputs=runfiles.to_list(),
+      outputs=[output_spec, output_definition, output_command],
+      arguments=[
+          ctx.attr.semantics[KompileInfo].files[0].path,
+          ctx.files.srcs[0].path,
+          merged_file.path,
+          output_spec.path,
+          output_definition.path,
+          output_command.path,
+      ],
+      progress_message="Generating kore for %s" % ctx.files.srcs[0].path,
+      executable=ctx.executable.kprove_kompile_tool)
+  return [
+      KproveInfo(
+          spec = output_spec,
+          definition = output_definition,
+          command = output_command
+      )
+  ]
+
+kprove_kompile = rule(
+    implementation = _kprove_kompile_impl,
+    attrs = {
+        "srcs": attr.label_list(allow_files = [".k"]),
+        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
+        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
+        "kprove_kompile_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kprove_kompile_tool"),
+        ),
+        "kmerge_tool": attr.label(
+            executable = True,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:kmerge_tool"),
+        ),
+        "k_distribution": attr.label(
+            executable = False,
+            cfg = "exec",
+            allow_files = True,
+            default = Label("//kompile_tool:k_release"),
+        ),
+    },
+)
+
+def _kore_test_impl(ctx):
+
+  script_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
+
+  tool_call = "kompile_tool/kore_tool %s %s %s %s" % (
+      ctx.attr.kompiled[KproveInfo].definition.short_path,
+      ctx.attr.kompiled[KproveInfo].spec.short_path,
+      ctx.attr.kompiled[KproveInfo].command.short_path,
+      ctx.label.name + '.output.k')
+
   command_parts = [
       "pushd $(pwd)",
-      "kompile_tool/kprove_tool %s %s %s --debug" % (
-          ctx.attr.semantics[KompileInfo].files[0].short_path,
-          ctx.files.srcs[0].path,
-          merged_file.short_path),
+      "%s --debug" % tool_call,
       "popd",
   ]
   script_lines = [
       "#!/usr/bin/env bash",
       "",
-      # "read line",
-      # 'echo "aaa: $line"',
-      # "",
       "echo 'To debug:'",
       'echo "%s"' % ("; ".join(command_parts)),
-      "kompile_tool/kprove_tool %s %s %s %s" % (ctx.attr.semantics[KompileInfo].files[0].short_path, ctx.files.srcs[0].path, merged_file.short_path, '"$@"'),
+      "%s %s" % (tool_call, '"$@"'),
   ]
-  ctx.actions.write(output_file, "\n".join(script_lines), is_executable = True)
+  ctx.actions.write(script_file, "\n".join(script_lines), is_executable = True)
   runfiles = ctx.runfiles(
-      [merged_file, ctx.executable.kprove_tool]
-      + ctx.attr.semantics[KompileInfo].files
+      [
+          ctx.attr.kompiled[KproveInfo].definition,
+          ctx.attr.kompiled[KproveInfo].spec,
+          ctx.attr.kompiled[KproveInfo].command,
+          ctx.executable.kore_tool,
+      ]
       + ctx.attr.k_distribution[DefaultInfo].files.to_list()
       + ctx.attr.debug_script[DefaultInfo].files.to_list()
   )
   return [
       DefaultInfo(
           runfiles = runfiles,
-          executable = output_file,
+          executable = script_file,
       )
   ]
 
-kprove_test = rule(
-    implementation = _kprove_test_impl,
+kore_test = rule(
+    implementation = _kore_test_impl,
     attrs = {
-        "srcs": attr.label_list(allow_files = [".k"]),
-        "trusted": attr.label_list(providers=[DefaultInfo, KtrustedInfo]),
-        "semantics": attr.label(mandatory=True, providers=[DefaultInfo, KompileInfo]),
-        "kprove_tool": attr.label(
+        "kompiled": attr.label(providers=[KproveInfo]),
+        "kore_tool": attr.label(
             executable = True,
             cfg = "exec",
             allow_files = True,
-            default = Label("//kompile_tool:kprove_tool"),
-        ),
-        "kmerge_tool": attr.label(
-            executable = True,
-            cfg = "exec",
-            allow_files = True,
-            default = Label("//kompile_tool:kmerge_tool"),
+            default = Label("//kompile_tool:kore_tool"),
         ),
         "k_distribution": attr.label(
             executable = False,
@@ -214,3 +349,17 @@ kprove_test = rule(
     },
     test = True,
 )
+
+def kprove_test(*, name, srcs, trusted=[], semantics, timeout="short"):
+  kprove_kompile(
+    name = "%s-kompile" % name,
+    srcs = srcs,
+    trusted = trusted,
+    semantics = semantics,
+  )
+
+  kore_test(
+    name = name,
+    kompiled = ":%s-kompile" % name,
+  )
+
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 0463293cb..058579804 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -14,7 +14,6 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-New.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -22,7 +21,6 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-None.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -30,7 +28,6 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-no-quorum-no-signers.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-no-signers"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -38,63 +35,58 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-no-quorum-has-signers.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-has-signers"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "medium",
 )
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-BoardMember",
-#   srcs = ["proof-perform-action-endpoint-remove-user-BoardMember.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-BoardMember",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-BoardMember",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-BoardMember",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-BoardMember-too-few",
-#   srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-BoardMember-too-few",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-BoardMember-too-few",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-Proposer-nobody-left",
-#   srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-Proposer-nobody-left",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-Proposer-nobody-left",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-Proposer",
-#   srcs = ["proof-perform-action-endpoint-remove-user-Proposer.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-Proposer",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-Proposer",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-Proposer",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-None",
-#   srcs = ["proof-perform-action-endpoint-remove-user-None.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-None",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-None",
+  srcs = ["proof-perform-action-endpoint-remove-user-None.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-None",
+  ],
+  semantics = ":functions-execute",
+)
 
 # kprove_test(
 #   name = "proof-perform-action-endpoint-remove-user-New",
@@ -107,27 +99,25 @@ kprove_test(
 #   timeout = "long",
 # )
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-change-quorum",
-#   srcs = ["proof-perform-action-endpoint-change-quorum.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-change-quorum",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-change-quorum",
+  srcs = ["proof-perform-action-endpoint-change-quorum.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-change-quorum",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-change-quorum-no-quorum",
-#   srcs = ["proof-perform-action-endpoint-change-quorum-no-quorum.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-change-quorum-no-quorum",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-endpoint-change-quorum-no-quorum.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-change-quorum-no-quorum",
+  ],
+  semantics = ":functions-execute",
+)
 
 kprove_test(
   name = "proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum",
@@ -137,7 +127,6 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-BoardMember-no-quorum",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -148,7 +137,6 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-BoardMember",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -159,7 +147,6 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-Proposer",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -170,7 +157,6 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-New",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -181,7 +167,6 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-None",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -192,7 +177,6 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-New",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -203,7 +187,6 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-BoardMember",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -214,7 +197,6 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-Proposer",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -225,65 +207,48 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-None",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-send-egld",
-#   srcs = ["proof-perform-action-endpoint-send-egld.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-send-egld",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
-
-# kprove_test(
-#   name = "proof-perform-action-endpoint-sc-call",
-#   srcs = ["proof-perform-action-endpoint-sc-call.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-sc-call",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-send-egld",
+  srcs = ["proof-perform-action-endpoint-send-egld.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-send-egld",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-sc-deploy",
-#   srcs = ["proof-perform-action-endpoint-sc-deploy.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-sc-deploy",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-sc-call",
+  srcs = ["proof-perform-action-endpoint-sc-call.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-sc-call",
+  ],
+  semantics = ":functions-execute",
+)
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-nothing",
-#   srcs = ["proof-perform-action-endpoint-nothing.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-nothing",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-sc-deploy",
+  srcs = ["proof-perform-action-endpoint-sc-deploy.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-sc-deploy",
+  ],
+  semantics = ":functions-execute",
+)
 
 kprove_test(
   name = "proof-perform-action-endpoint-fragment-New",
   srcs = ["proof-perform-action-endpoint-fragment-New.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-endpoint-fragment-None",
   srcs = ["proof-perform-action-endpoint-fragment-None.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -291,7 +256,6 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -299,7 +263,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "eternal",
+  timeout = "medium",
 )
 
 kprove_test(
@@ -307,7 +271,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-performs.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "eternal",
+  timeout = "medium",
 )
 
 kprove_test(
@@ -315,7 +279,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-BoardMember.k"],
   trusted = [":trusted-perform-action-remove-user-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -323,7 +286,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-perform-action-remove-user-BoardMember-too-few"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -331,7 +293,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-Proposer-nobody-left.k"],
   trusted = [":trusted-perform-action-remove-user-Proposer-nobody-left"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -339,7 +300,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-Proposer.k"],
   trusted = [":trusted-perform-action-remove-user-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -347,7 +307,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-None.k"],
   trusted = [":trusted-perform-action-remove-user-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -355,7 +314,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-New.k"],
   trusted = [":trusted-perform-action-remove-user-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -363,7 +321,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-change-quorum.k"],
   trusted = [":trusted-perform-action-change-quorum"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -371,7 +328,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-change-quorum-no-quorum.k"],
   trusted = [":trusted-perform-action-change-quorum-no-quorum"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -379,7 +335,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-BoardMember-no-quorum.k"],
   trusted = [":trusted-perform-action-add-proposer-BoardMember-no-quorum"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -387,7 +342,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-BoardMember.k"],
   trusted = [":trusted-perform-action-add-proposer-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -395,7 +349,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-Proposer.k"],
   trusted = [":trusted-perform-action-add-proposer-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -403,7 +356,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-New.k"],
   trusted = [":trusted-perform-action-add-proposer-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -411,7 +363,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-None.k"],
   trusted = [":trusted-perform-action-add-proposer-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -419,7 +370,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-New.k"],
   trusted = [":trusted-perform-action-add-board-member-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -427,7 +377,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-BoardMember.k"],
   trusted = [":trusted-perform-action-add-board-member-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -435,7 +384,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-Proposer.k"],
   trusted = [":trusted-perform-action-add-board-member-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -443,7 +391,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-None.k"],
   trusted = [":trusted-perform-action-add-board-member-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -451,7 +398,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-send-egld.k"],
   trusted = [":trusted-perform-action-send-egld"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -459,7 +405,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-sc-call.k"],
   trusted = [":trusted-perform-action-sc-call"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -467,15 +412,6 @@ kprove_test(
   srcs = ["proof-perform-action-id-sc-deploy.k"],
   trusted = [":trusted-perform-action-sc-deploy"],
   semantics = ":functions-execute",
-  timeout = "long",
-)
-
-kprove_test(
-  name = "proof-perform-action-id-nothing",
-  srcs = ["proof-perform-action-id-nothing.k"],
-  trusted = [":trusted-perform-action-nothing"],
-  semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -483,7 +419,6 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -491,7 +426,6 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -499,7 +433,6 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-Proposer-nobody-left.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -507,7 +440,6 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -515,7 +447,6 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -523,21 +454,18 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-perform-action-change-quorum",
   srcs = ["proof-perform-action-change-quorum.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-change-quorum-no-quorum",
   srcs = ["proof-perform-action-change-quorum-no-quorum.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -545,7 +473,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-BoardMember-no-quorum.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -553,7 +480,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -561,7 +487,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -569,7 +494,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -577,7 +501,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -585,7 +508,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -593,7 +515,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-BoardMember.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -601,7 +522,6 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -609,70 +529,60 @@ kprove_test(
   srcs = ["proof-perform-action-add-board-member-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-send-egld",
   srcs = ["proof-perform-action-send-egld.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-sc-call",
   srcs = ["proof-perform-action-sc-call.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-sc-deploy",
   srcs = ["proof-perform-action-sc-deploy.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-perform-action-nothing",
   srcs = ["proof-perform-action-nothing.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-change-user-role-BoardMember",
   srcs = ["proof-change-user-role-BoardMember.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-change-user-role-New",
   srcs = ["proof-change-user-role-New.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-change-user-role-None",
   srcs = ["proof-change-user-role-None.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-change-user-role-Proposer",
   srcs = ["proof-change-user-role-Proposer.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-count-can-sign",
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -680,14 +590,12 @@ kprove_test(
   srcs = ["proof-discard-action-has-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-discard-action-no-role",
   srcs = ["proof-discard-action-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -695,7 +603,6 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -703,14 +610,12 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-discard-action-no-user",
   srcs = ["proof-discard-action-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -718,7 +623,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "eternal",
+  timeout = "medium",
 )
 
 kprove_test(
@@ -726,35 +631,30 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-propose-action-BoardMember",
   srcs = ["proof-propose-action-BoardMember.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-action-error-no-role",
   srcs = ["proof-propose-action-error-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-action-error-no-user",
   srcs = ["proof-propose-action-error-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-action-Proposer",
   srcs = ["proof-propose-action-Proposer.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -765,7 +665,6 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -776,7 +675,6 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "eternal",
 )
 
 kprove_test(
@@ -787,14 +685,12 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-propose-sc-deploy-fragment",
   srcs = ["proof-propose-sc-deploy-fragment.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -805,119 +701,102 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-caller-none",
   srcs = ["proof-sign-caller-none.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-caller-not-user",
   srcs = ["proof-sign-caller-not-user.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-caller-proposer",
   srcs = ["proof-sign-caller-proposer.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-empty-action",
   srcs = ["proof-sign-empty-action.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-existing-signers-in-list",
   srcs = ["proof-sign-existing-signers-in-list.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-existing-signers-not-in-list",
   srcs = ["proof-sign-existing-signers-not-in-list.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-sign-no-signers",
   srcs = ["proof-sign-no-signers.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-action",
   srcs = ["proof-unsign-no-action.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-role",
   srcs = ["proof-unsign-no-role.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-signers",
   srcs = ["proof-unsign-no-signers.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-no-user",
   srcs = ["proof-unsign-no-user.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-not-signed",
   srcs = ["proof-unsign-not-signed.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-only-signer",
   srcs = ["proof-unsign-only-signer.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-other-signers-first",
   srcs = ["proof-unsign-other-signers-first.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-other-signers-not-first",
   srcs = ["proof-unsign-other-signers-not-first.k"],
   semantics = ":functions-execute",
-  timeout = "eternal",
 )
 
 kprove_test(
   name = "proof-unsign-Proposer",
   srcs = ["proof-unsign-Proposer.k"],
   semantics = ":functions-execute",
-  timeout = "long",
 )
 
 ktrusted(
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
index 3eb99c935..d5bcdbf2c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-New.k
@@ -9,7 +9,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-NEW
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
-          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          <k> call(performActionEndpoint(_ActionId:Usize)) ~> K:K </k>
           invariantStateFull(
               NumUsers:Usize,
               UserIdToAddress:Map,
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum-no-quorum.k
new file mode 100644
index 000000000..78aa6b147
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum-no-quorum.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-change-quorum-no-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM-NO-QUORUM
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(OldQuorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(OldQuorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NewQuorum >Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum.k
new file mode 100644
index 000000000..910bd13e7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-change-quorum.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-change-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(OldQuorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(NewQuorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NewQuorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
index 22ada218c..b5ca30344 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
@@ -1,10 +1,10 @@
 //@ proof
-require "trusted-perform-action-endpoint-fragment-no-quorum-no-signers.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-fragment-no-quorum-has-signers.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
-  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-HAS-SIGNERS
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-HAS-SIGNERS
 //@ end
   imports FUNCTIONS-EXECUTE
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few.k
new file mode 100644
index 000000000..9621da959
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few.k
@@ -0,0 +1,78 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-BoardMember-too-few.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool (false
+            orBool NumBoardMembers +Int NumProposers ==Int 1
+            orBool Quorum ==Int NumBoardMembers
+        )
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember.k
new file mode 100644
index 000000000..a0501be64
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers),
+              (CallerId |-> Role UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-New.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-New.k
new file mode 100644
index 000000000..24c1db79e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-New.k
@@ -0,0 +1,79 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NEW
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // something to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+        andBool NumBoardMembers +Int NumProposers >Int 0
+        andBool Quorum <=Int NumBoardMembers
+        andBool notBool (UserAddress in_keys(AddressToUserId))
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-None.k
new file mode 100644
index 000000000..f0559a9b1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-None.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NONE
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers >Int 0
+        andBool notBool (UserId in_keys(UserIdToRole))
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k
new file mode 100644
index 000000000..439e02bfd
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-Proposer-nobody-left.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers ==Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer.k
new file mode 100644
index 000000000..396d182cc
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer.k
@@ -0,0 +1,76 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers -Int 1),
+              (CallerId |-> Role UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-call.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-call.k
new file mode 100644
index 000000000..4d02b210e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-call.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-sc-call.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-SC-CALL
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-SC-CALL
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-SC-CALL
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SCCall(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Function:BoxedBytes,
+                          _Arguments:ExpressionList) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-deploy.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-deploy.k
new file mode 100644
index 000000000..65dbd23ac
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-sc-deploy.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-sc-deploy.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-SC-DEPLOY
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-SC-DEPLOY
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-SC-DEPLOY
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SCDeploy(
+                          _Amount:BigUint,
+                          _Code:BoxedBytes,
+                          _CodeMetadata:CodeMetadata,
+                          _Arguments:ExpressionList) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-send-egld.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-send-egld.k
new file mode 100644
index 000000000..740c5a62d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-send-egld.k
@@ -0,0 +1,74 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-send-egld.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-SEND-EGLD
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-SEND-EGLD
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-SEND-EGLD
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SendEgld(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Data:BoxedBytes) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
deleted file mode 100644
index 9eaeb5686..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
+++ /dev/null
@@ -1,91 +0,0 @@
-//@ proof
-require "trusted-perform-action-nothing.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ID-NOTHING
-  imports TRUSTED-PERFORM-ACTION-NOTHING
-//@ trusted
-// module TRUSTED-PERFORM-NOTHING
-//@ end
-
-  imports PSEUDOCODE
-
-  claim
-      <T> <TT>
-          <k> call(performAction(Nothing #as Action:Action)) ~> K:K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers:Usize</num-users>
-                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
-                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>NumBoardMembers:Usize</num-board-members>
-                <num-proposers>NumProposers:Usize</num-proposers>
-                <user-roles>UserIdToRole:Map</user-roles>
-                <quorum>Quorum:Usize</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex:Usize</action-last-index>
-                <actions>
-                  <action-data>ActionData:Map</action-data>
-                  <action-signers>ActionSigners:Map</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>.Map</variables>
-              <stack>Stack:Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress:Address</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>PerformedActions:List</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-      =>
-      <T> <TT>
-          <k> evaluate(void) ~> K </k>
-          <state>
-            <multisig-state>
-              <users>
-                <num-users>NumUsers</num-users>
-                <user-id-to-address>UserIdToAddress</user-id-to-address>
-                <address-to-user-id>AddressToUserId</address-to-user-id>
-              </users>
-              <board-state>
-                <num-board-members>NumBoardMembers</num-board-members>
-                <num-proposers>NumProposers</num-proposers>
-                <user-roles>UserIdToRole</user-roles>
-                <quorum>Quorum</quorum>
-              </board-state>
-              <action-state>
-                <action-last-index>ActionLastIndex</action-last-index>
-                <actions>
-                  <action-data>ActionData</action-data>
-                  <action-signers>ActionSigners</action-signers>
-                </actions>
-              </action-state>
-            </multisig-state>
-            <pseudocode-state>
-              <variables>?_Variables:Map</variables>
-              <stack>Stack</stack>
-            </pseudocode-state>
-            <external-call-env>
-              <caller-address>CallerAddress</caller-address>
-            </external-call-env>
-            <log>
-              <performed-actions>ListItem(Action) PerformedActions</performed-actions>
-            </log>
-          </state>
-      </TT> </T>
-    requires true
-    ensures true
-  //@ proof
-  //@ trusted
-  // [trusted]
-  //@ end
-
-endmodule
\ No newline at end of file

From 99ef051896b371c44b4aef1e8c1406454d2b4c42 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 16 Apr 2021 15:26:06 +0300
Subject: [PATCH 30/37] More function proofs

---
 multisig/kompile_tool/kore.sh                 |  19 +-
 multisig/kompile_tool/kprove-kompile.sh       |   7 +
 multisig/proof.bzl                            |  18 +-
 .../proof/functions/BUILD                     | 235 ++++++++++++++++--
 ...endpoint-add-board-member-BoardMember-eq.k |  71 ++++++
 ...on-endpoint-add-board-member-Proposer-eq.k |  72 ++++++
 ...ion-endpoint-add-proposer-BoardMember-eq.k |  73 ++++++
 ...nt-add-proposer-BoardMember-no-quorum-eq.k |  72 ++++++
 ...action-endpoint-add-proposer-Proposer-eq.k |  72 ++++++
 .../proof-perform-action-endpoint-nothing.k   |  70 ++++++
 ...tion-endpoint-remove-user-BoardMember-eq.k |  72 ++++++
 ...point-remove-user-BoardMember-too-few-eq.k |  75 ++++++
 ...-action-endpoint-remove-user-Proposer-eq.k |  73 ++++++
 ...oint-remove-user-Proposer-nobody-left-eq.k |  73 ++++++
 .../proof-perform-action-id-nothing.k         |  93 +++++++
 15 files changed, 1072 insertions(+), 23 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k
 create mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k

diff --git a/multisig/kompile_tool/kore.sh b/multisig/kompile_tool/kore.sh
index cf68168aa..fd346c38a 100755
--- a/multisig/kompile_tool/kore.sh
+++ b/multisig/kompile_tool/kore.sh
@@ -2,16 +2,19 @@
 
 set -e
 
-DEFINITION=$1
+KOMPILE_DIR=`dirname $1`
 shift
 
-SPEC=$1
+DEFINITION=$(realpath $1)
+shift
+
+SPEC=$(realpath $1)
 shift
 
 COMMAND=$1
 shift
 
-OUTPUT=$1
+OUTPUT=$(realpath $1)
 shift
 
 MODULE_NAME=$(cat $COMMAND | sed 's/^.*--module \([^ ]*\) .*$/\1/')
@@ -25,18 +28,22 @@ KORE_REPL=$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-repl)
 
 REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
-BACKEND_COMMAND="kore-exec"
+BACKEND_COMMAND=$KORE_EXEC
 if [ $# -eq 0 ]; then
-  BACKEND_COMMAND="kore-exec"
+  BACKEND_COMMAND=$KORE_EXEC
 else
   if [ "$1" == "--debug" ]; then
-    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
+    BACKEND_COMMAND="$KORE_REPL --repl-script $REPL_SCRIPT"
   else
     echo "Unknown argument: '$1'"
     exit 1
   fi
 fi
 
+PATH=$(realpath $KOMPILE_TOOL_DIR/k/bin):$PATH
+
+cd $(dirname $KOMPILE_DIR)
+
 $BACKEND_COMMAND \
     --smt-timeout 4000 \
     $DEFINITION \
diff --git a/multisig/kompile_tool/kprove-kompile.sh b/multisig/kompile_tool/kprove-kompile.sh
index be4d37101..f2fa60dcf 100755
--- a/multisig/kompile_tool/kprove-kompile.sh
+++ b/multisig/kompile_tool/kprove-kompile.sh
@@ -20,6 +20,9 @@ shift
 COMMAND_OUTPUT=$1
 shift
 
+KOMPILE_OUTPUT=$(dirname $1)
+shift
+
 MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
 
 KOMPILE_TOOL_DIR=kompile_tool
@@ -51,3 +54,7 @@ DEFINITION_FILE=$(dirname $SPEC_FILE)/vdefinition.kore
 cp $DEFINITION_FILE $DEFINITION_OUTPUT
 
 echo $COMMAND > $COMMAND_OUTPUT
+
+mkdir -p $KOMPILE_OUTPUT
+
+cp $TMP_DIR/$(basename $KOMPILE_DIR)/* $KOMPILE_OUTPUT
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index f5b1a9e91..61c34294a 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -231,6 +231,15 @@ def _kprove_kompile_impl(ctx):
   output_spec = ctx.actions.declare_file(ctx.label.name + '.spec.kore')
   output_definition = ctx.actions.declare_file(ctx.label.name + '.definition.kore')
   output_command = ctx.actions.declare_file(ctx.label.name + '.command')
+
+  output_kompile_files = [
+    ctx.actions.declare_file(ctx.label.name + '-kompiled/' + name)
+    for name in [
+      'allRules.txt', 'cache.bin', 'compiled.bin', 'compiled.txt',
+      'configVars.sh', 'definition.kore', 'macros.kore', 'mainModule.txt',
+      'parsed.txt', 'syntaxDefinition.kore', 'timestamp']
+  ]
+
   runfiles = depset(
       [merged_file, ctx.executable.kprove_kompile_tool]
       + ctx.attr.semantics[KompileInfo].files
@@ -238,7 +247,7 @@ def _kprove_kompile_impl(ctx):
   )
   ctx.actions.run(
       inputs=runfiles.to_list(),
-      outputs=[output_spec, output_definition, output_command],
+      outputs=[output_spec, output_definition, output_command] + output_kompile_files,
       arguments=[
           ctx.attr.semantics[KompileInfo].files[0].path,
           ctx.files.srcs[0].path,
@@ -246,10 +255,12 @@ def _kprove_kompile_impl(ctx):
           output_spec.path,
           output_definition.path,
           output_command.path,
+          output_kompile_files[0].path
       ],
       progress_message="Generating kore for %s" % ctx.files.srcs[0].path,
       executable=ctx.executable.kprove_kompile_tool)
   return [
+      KompileInfo(files=output_kompile_files),
       KproveInfo(
           spec = output_spec,
           definition = output_definition,
@@ -288,7 +299,8 @@ def _kore_test_impl(ctx):
 
   script_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
 
-  tool_call = "kompile_tool/kore_tool %s %s %s %s" % (
+  tool_call = "kompile_tool/kore_tool %s %s %s %s %s" % (
+      ctx.attr.kompiled[KompileInfo].files[0].short_path,
       ctx.attr.kompiled[KproveInfo].definition.short_path,
       ctx.attr.kompiled[KproveInfo].spec.short_path,
       ctx.attr.kompiled[KproveInfo].command.short_path,
@@ -314,6 +326,7 @@ def _kore_test_impl(ctx):
           ctx.attr.kompiled[KproveInfo].command,
           ctx.executable.kore_tool,
       ]
+      + ctx.attr.kompiled[KompileInfo].files
       + ctx.attr.k_distribution[DefaultInfo].files.to_list()
       + ctx.attr.debug_script[DefaultInfo].files.to_list()
   )
@@ -361,5 +374,6 @@ def kprove_test(*, name, srcs, trusted=[], semantics, timeout="short"):
   kore_test(
     name = name,
     kompiled = ":%s-kompile" % name,
+    timeout = timeout,
   )
 
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 058579804..835202d75 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -1,4 +1,4 @@
-load("//:proof.bzl", "kompile", "kprove_test", "ktrusted")
+load("//:proof.bzl", "kompile", "kprove_test", "ktrusted", "klibrary")
 
 kompile(
   name = "functions-execute",
@@ -9,6 +9,16 @@ kompile(
   ],
 )
 
+klibrary(
+  name = "functions-execute-files",
+  srcs = ["functions-execute.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-files",
+      "//protocol-correctness:pseudocode-files",
+  ],
+  visibility = ["//visibility:public"],
+)
+
 kprove_test(
   name = "proof-perform-action-endpoint-New",
   srcs = ["proof-perform-action-endpoint-New.k"],
@@ -28,6 +38,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-no-quorum-no-signers.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-no-signers"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -35,7 +46,17 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-no-quorum-has-signers.k"],
   trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-has-signers"],
   semantics = ":functions-execute",
-  timeout = "medium",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-nothing",
+  srcs = ["proof-perform-action-endpoint-nothing.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-nothing",
+  ],
+  semantics = ":functions-execute",
 )
 
 kprove_test(
@@ -48,6 +69,17 @@ kprove_test(
   semantics = ":functions-execute",
 )
 
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-BoardMember",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
 kprove_test(
   name = "proof-perform-action-endpoint-remove-user-BoardMember-too-few",
   srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few.k"],
@@ -56,6 +88,18 @@ kprove_test(
       ":trusted-perform-action-id-remove-user-BoardMember-too-few",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-BoardMember-too-few",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -66,6 +110,18 @@ kprove_test(
       ":trusted-perform-action-id-remove-user-Proposer-nobody-left",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-Proposer-nobody-left",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -76,6 +132,7 @@ kprove_test(
       ":trusted-perform-action-id-remove-user-Proposer",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -88,16 +145,16 @@ kprove_test(
   semantics = ":functions-execute",
 )
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint-remove-user-New",
-#   srcs = ["proof-perform-action-endpoint-remove-user-New.k"],
-#   trusted = [
-#       ":trusted-perform-action-endpoint-fragment-performs",
-#       ":trusted-perform-action-id-remove-user-New",
-#   ],
-#   semantics = ":functions-execute",
-#   timeout = "long",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-New",
+  srcs = ["proof-perform-action-endpoint-remove-user-New.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-New",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
+)
 
 kprove_test(
   name = "proof-perform-action-endpoint-change-quorum",
@@ -127,6 +184,18 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-BoardMember-no-quorum",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-BoardMember-no-quorum",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -137,6 +206,18 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-BoardMember",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-BoardMember",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -149,6 +230,16 @@ kprove_test(
   semantics = ":functions-execute",
 )
 
+kprove_test(
+  name = "proof-perform-action-endpoint-add-proposer-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-Proposer-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-proposer-Proposer",
+  ],
+  semantics = ":functions-execute",
+)
+
 kprove_test(
   name = "proof-perform-action-endpoint-add-proposer-New",
   srcs = ["proof-perform-action-endpoint-add-proposer-New.k"],
@@ -177,6 +268,18 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-New",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-add-board-member-BoardMember-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-BoardMember",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -187,6 +290,7 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-BoardMember",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -197,6 +301,18 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-Proposer",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
+kprove_test(
+  name = "proof-perform-action-endpoint-add-board-member-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-add-board-member-Proposer-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-add-board-member-Proposer",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -256,6 +372,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -263,7 +380,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "medium",
+  timeout = "long",
 )
 
 kprove_test(
@@ -271,7 +388,15 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-performs.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "medium",
+  timeout = "long",
+)
+
+kprove_test(
+  name = "proof-perform-action-id-nothing",
+  srcs = ["proof-perform-action-id-nothing.k"],
+  trusted = [":trusted-perform-action-nothing"],
+  semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -279,6 +404,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-BoardMember.k"],
   trusted = [":trusted-perform-action-remove-user-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -286,6 +412,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-perform-action-remove-user-BoardMember-too-few"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -293,6 +420,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-Proposer-nobody-left.k"],
   trusted = [":trusted-perform-action-remove-user-Proposer-nobody-left"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -300,6 +428,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-Proposer.k"],
   trusted = [":trusted-perform-action-remove-user-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -307,6 +436,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-None.k"],
   trusted = [":trusted-perform-action-remove-user-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -314,6 +444,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-New.k"],
   trusted = [":trusted-perform-action-remove-user-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -342,6 +473,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-BoardMember.k"],
   trusted = [":trusted-perform-action-add-proposer-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -349,6 +481,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-Proposer.k"],
   trusted = [":trusted-perform-action-add-proposer-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -356,6 +489,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-New.k"],
   trusted = [":trusted-perform-action-add-proposer-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -363,6 +497,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-None.k"],
   trusted = [":trusted-perform-action-add-proposer-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -370,6 +505,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-New.k"],
   trusted = [":trusted-perform-action-add-board-member-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -559,30 +695,35 @@ kprove_test(
   name = "proof-change-user-role-BoardMember",
   srcs = ["proof-change-user-role-BoardMember.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-change-user-role-New",
   srcs = ["proof-change-user-role-New.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-change-user-role-None",
   srcs = ["proof-change-user-role-None.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-change-user-role-Proposer",
   srcs = ["proof-change-user-role-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-count-can-sign",
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -590,6 +731,7 @@ kprove_test(
   srcs = ["proof-discard-action-has-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -603,6 +745,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -610,6 +753,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -623,7 +767,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "medium",
+  timeout = "long",
 )
 
 kprove_test(
@@ -631,12 +775,14 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-propose-action-BoardMember",
   srcs = ["proof-propose-action-BoardMember.k"],
   semantics = ":functions-execute",
+  timeout = "long",
 )
 
 kprove_test(
@@ -655,6 +801,7 @@ kprove_test(
   name = "proof-propose-action-Proposer",
   srcs = ["proof-propose-action-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -665,6 +812,7 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -701,12 +849,14 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-sign-caller-none",
   srcs = ["proof-sign-caller-none.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -719,6 +869,7 @@ kprove_test(
   name = "proof-sign-caller-proposer",
   srcs = ["proof-sign-caller-proposer.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -731,72 +882,84 @@ kprove_test(
   name = "proof-sign-existing-signers-in-list",
   srcs = ["proof-sign-existing-signers-in-list.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-sign-existing-signers-not-in-list",
   srcs = ["proof-sign-existing-signers-not-in-list.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-sign-no-signers",
   srcs = ["proof-sign-no-signers.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-no-action",
   srcs = ["proof-unsign-no-action.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-no-role",
   srcs = ["proof-unsign-no-role.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-no-signers",
   srcs = ["proof-unsign-no-signers.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-no-user",
   srcs = ["proof-unsign-no-user.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-not-signed",
   srcs = ["proof-unsign-not-signed.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-only-signer",
   srcs = ["proof-unsign-only-signer.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-other-signers-first",
   srcs = ["proof-unsign-other-signers-first.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-other-signers-not-first",
   srcs = ["proof-unsign-other-signers-not-first.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
   name = "proof-unsign-Proposer",
   srcs = ["proof-unsign-Proposer.k"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 ktrusted(
@@ -1083,3 +1246,45 @@ ktrusted(
   name = "trusted-perform-action-id-nothing",
   srcs = ["proof-perform-action-id-nothing.k"],
 )
+
+ktrusted(
+  name = "trusted-discard-action-has-signers",
+  srcs = ["proof-discard-action-has-signers.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-role",
+  srcs = ["proof-discard-action-no-role.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-signers-no-action",
+  srcs = ["proof-discard-action-no-signers-no-action.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-signers",
+  srcs = ["proof-discard-action-no-signers.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-user",
+  srcs = ["proof-discard-action-no-user.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-valid-signers-no-action",
+  srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-discard-action-no-valid-signers",
+  srcs = ["proof-discard-action-no-valid-signers.k"],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember-eq.k
new file mode 100644
index 000000000..b5e964409
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-BoardMember-eq.k
@@ -0,0 +1,71 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-boardmember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer-eq.k
new file mode 100644
index 000000000..2824081da
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-board-member-Proposer-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-board-member-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-BOARD-MEMBER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              u(NumProposers -Int 1),
+              CallerId |-> BoardMember
+                UserIdToRoleInner:Map,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-eq.k
new file mode 100644
index 000000000..c99d79028
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-eq.k
@@ -0,0 +1,73 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers +Int 1),
+              (CallerId |-> Proposer
+                  UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k
new file mode 100644
index 000000000..923c8ef9b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum ==Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer-eq.k
new file mode 100644
index 000000000..de4988742
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-add-proposer-Proposer-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-nothing.k
new file mode 100644
index 000000000..076d9f027
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-nothing.k
@@ -0,0 +1,70 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-id-nothing.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-NOTHING
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-NOTHING
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NOTHING
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Nothing) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool notBool ActionId in_keys(ActionData)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
new file mode 100644
index 000000000..3e981d863
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              CallerId |-> BoardMember
+                  UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k
new file mode 100644
index 000000000..5230ffc27
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k
@@ -0,0 +1,75 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-BoardMember-too-few.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool (false
+            orBool NumBoardMembers +Int NumProposers ==Int 1
+            orBool Quorum ==Int NumBoardMembers
+        )
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
new file mode 100644
index 000000000..1e8cffb43
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
@@ -0,0 +1,73 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers -Int 1),
+              (CallerId |-> Role UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k
new file mode 100644
index 000000000..ebdb5f4a6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k
@@ -0,0 +1,73 @@
+//@ proof
+require "trusted-perform-action-endpoint-fragment-performs.k"  //@ Bazel remove
+require "trusted-perform-action-endpoint-id-remove-user-Proposer-nobody-left.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-PERFORMS
+  imports TRUSTED-PERFORM-ACTION-ID-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+//@ end
+  imports FUNCTIONS-EXECUTE
+
+  claim <T><TT>
+          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers ==Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
new file mode 100644
index 000000000..e7abbd524
--- /dev/null
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-id-nothing.k
@@ -0,0 +1,93 @@
+//@ proof
+require "trusted-perform-action-sc-call.k"  //@ Bazel remove
+
+module PROOF-PERFORM-ACTION-ID-NOTHING
+  imports TRUSTED-PERFORM-ACTION-NOTHING
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ID-NOTHING
+//@ end
+
+  imports PSEUDOCODE
+
+  claim
+      <T> <TT>
+          <k> call(performActionFromId(ActionId:Usize)) ~> K:K
+          </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers:Usize</num-users>
+                <user-id-to-address>UserIdToAddress:Map</user-id-to-address>
+                <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers:Usize</num-board-members>
+                <num-proposers>NumProposers:Usize</num-proposers>
+                <user-roles>UserIdToRole:Map</user-roles>
+                <quorum>Quorum:Usize</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex:Usize</action-last-index>
+                <actions>
+                  <action-data>ActionData:Map</action-data>
+                  <action-signers>ActionSigners:Map</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>.Map</variables>
+              <stack>Stack:Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress:Address</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>PerformedActions:List</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+      =>
+      <T> <TT>
+          <k> evaluate(void) ~> K </k>
+          <state>
+            <multisig-state>
+              <users>
+                <num-users>NumUsers</num-users>
+                <user-id-to-address>UserIdToAddress</user-id-to-address>
+                <address-to-user-id>AddressToUserId</address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>NumBoardMembers</num-board-members>
+                <num-proposers>NumProposers</num-proposers>
+                <user-roles>UserIdToRole</user-roles>
+                <quorum>Quorum</quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>ActionLastIndex</action-last-index>
+                <actions>
+                  <action-data>ActionData</action-data>
+                  <action-signers>ActionSigners[ActionId <- undef]</action-signers>
+                </actions>
+              </action-state>
+            </multisig-state>
+            <pseudocode-state>
+              <variables>?_Variables</variables>
+              <stack>Stack</stack>
+            </pseudocode-state>
+            <external-call-env>
+              <caller-address>CallerAddress</caller-address>
+            </external-call-env>
+            <log>
+              <performed-actions>ListItem(Nothing) PerformedActions</performed-actions>
+            </log>
+          </state>
+      </TT> </T>
+    requires true
+      andBool notBool ActionId in_keys(ActionData)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+
+endmodule
\ No newline at end of file

From a54033455a088b6b4ceddffeb593aaa1ff6343ea Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 20 Apr 2021 13:11:55 +0300
Subject: [PATCH 31/37] Partial perform action proof

---
 multisig/.gitignore                           |   3 +-
 multisig/kompile_tool/kore.sh                 |   5 +-
 multisig/kompile_tool/kprove.sh               |  13 +-
 multisig/proof.bzl                            |  14 +-
 .../protocol-correctness/proof/.gitignore     |   3 +-
 .../proof/functions/BUILD                     | 279 ++++++++--
 .../proof-perform-action-endpoint-None.k      |   2 +-
 ...-endpoint-fragment-no-quorum-has-signers.k |  72 ---
 ...form-action-endpoint-fragment-no-quorum.k} |   7 +-
 ...proof-perform-action-endpoint-no-quorum.k} |  11 +-
 ...tion-endpoint-remove-user-BoardMember-eq.k |   7 +-
 ...-action-endpoint-remove-user-Proposer-eq.k |   2 +-
 .../proof/invariant/BUILD                     | 479 ++++++++++++++++
 .../proof/invariant/count-can-sign-parts.k    |   8 +-
 .../proof/invariant/init-loop-parts.k         |   8 +-
 .../proof/invariant/invariant-execution.k     | 510 +++++++++++++++++-
 .../proof/invariant/perform-parts.k           |   8 +-
 .../proof/invariant/proof-count-can-sign.k    |   6 +-
 .../proof/invariant/proof-discard-action.k    |  14 +-
 .../proof-perform-add-board-member.k          | 126 -----
 .../invariant/proof-perform-add-proposer-1.k  | 108 ----
 .../invariant/proof-perform-add-proposer-3.k  | 136 -----
 .../invariant/proof-perform-add-proposer-5.k  | 136 -----
 .../invariant/proof-perform-add-proposer-7.k  | 135 -----
 .../invariant/proof-perform-add-proposer-8.k  | 134 -----
 .../invariant/proof-perform-add-proposer-9.k  | 128 -----
 .../invariant/proof-perform-change-quorum.k   | 225 --------
 .../proof/invariant/proof-perform-nothing.k   | 114 ----
 .../proof/invariant/proof-perform-parts-New.k |  61 +++
 .../invariant/proof-perform-parts-None.k      |  60 +++
 ...rm-parts-add-board-member-boardmember-eq.k |  70 +++
 ...rform-parts-add-board-member-boardmember.k |  73 +++
 ...proof-perform-parts-add-board-member-new.k |  78 +++
 ...roof-perform-parts-add-board-member-none.k |  73 +++
 ...rform-parts-add-board-member-proposer-eq.k |  71 +++
 ...-perform-parts-add-board-member-proposer.k |  75 +++
 .../proof-perform-parts-add-board-member.k    | 107 ++++
 ...erform-parts-add-proposer-BoardMember-eq.k |  72 +++
 ...ts-add-proposer-BoardMember-no-quorum-eq.k |  72 +++
 ...parts-add-proposer-BoardMember-no-quorum.k |  74 +++
 ...f-perform-parts-add-proposer-BoardMember.k |  76 +++
 .../proof-perform-parts-add-proposer-New.k    |  79 +++
 .../proof-perform-parts-add-proposer-None.k   |  74 +++
 ...f-perform-parts-add-proposer-Proposer-eq.k |  71 +++
 ...roof-perform-parts-add-proposer-Proposer.k |  75 +++
 .../proof-perform-parts-add-proposer.k        |  94 ++++
 ...of-perform-parts-change-quorum-no-quorum.k |  71 +++
 .../proof-perform-parts-change-quorum.k       |  71 +++
 .../proof-perform-parts-no-quorum.k}          |  18 +-
 .../invariant/proof-perform-parts-nothing.k   |  69 +++
 ...perform-parts-remove-user-BoardMember-eq.k |  72 +++
 ...parts-remove-user-BoardMember-too-few-eq.k |  74 +++
 ...rm-parts-remove-user-BoardMember-too-few.k |  77 +++
 ...of-perform-parts-remove-user-BoardMember.k |  75 +++
 .../proof-perform-parts-remove-user-New.k     |  78 +++
 .../proof-perform-parts-remove-user-None.k    |  75 +++
 ...of-perform-parts-remove-user-Proposer-eq.k |  72 +++
 ...arts-remove-user-Proposer-nobody-left-eq.k |  72 +++
 ...m-parts-remove-user-Proposer-nobody-left.k |  75 +++
 ...proof-perform-parts-remove-user-Proposer.k |  75 +++
 .../invariant/proof-perform-parts-sc-call.k   |  74 +++
 .../invariant/proof-perform-parts-sc-deploy.k |  74 +++
 .../invariant/proof-perform-parts-send-egld.k |  73 +++
 63 files changed, 3829 insertions(+), 1414 deletions(-)
 delete mode 100644 multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
 rename multisig/protocol-correctness/proof/functions/{proof-perform-action-endpoint-fragment-no-quorum-no-signers.k => proof-perform-action-endpoint-fragment-no-quorum.k} (89%)
 rename multisig/protocol-correctness/proof/functions/{proof-perform-action-endpoint-no-quorum-has-signers.k => proof-perform-action-endpoint-no-quorum.k} (80%)
 create mode 100644 multisig/protocol-correctness/proof/invariant/BUILD
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-New.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-None.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-new.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-none.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-New.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-None.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-no-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
 rename multisig/protocol-correctness/proof/{functions/proof-perform-action-endpoint-no-quorum-no-signers.k => invariant/proof-perform-parts-no-quorum.k} (71%)
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-nothing.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-New.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-None.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-call.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-deploy.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-send-egld.k

diff --git a/multisig/.gitignore b/multisig/.gitignore
index 6bf4b1129..e108c569c 100644
--- a/multisig/.gitignore
+++ b/multisig/.gitignore
@@ -1,2 +1,3 @@
 kompile_tool/k
-bazel-*
\ No newline at end of file
+kompile_tool/k.old
+bazel-*
diff --git a/multisig/kompile_tool/kore.sh b/multisig/kompile_tool/kore.sh
index fd346c38a..6ab22e3be 100755
--- a/multisig/kompile_tool/kore.sh
+++ b/multisig/kompile_tool/kore.sh
@@ -2,6 +2,9 @@
 
 set -e
 
+SPEC_MODULE_NAME=$1
+shift
+
 KOMPILE_DIR=`dirname $1`
 shift
 
@@ -19,7 +22,7 @@ shift
 
 MODULE_NAME=$(cat $COMMAND | sed 's/^.*--module \([^ ]*\) .*$/\1/')
 
-SPEC_MODULE_NAME=$(cat $COMMAND | sed 's/^.*--spec-module \([^ ]*\) .*$/\1/')
+# SPEC_MODULE_NAME=$(cat $COMMAND | sed 's/^.*--spec-module \([^ ]*\) .*$/\1/')
 
 KOMPILE_TOOL_DIR=kompile_tool
 
diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
index 22c4e0d63..5279aa4d5 100755
--- a/multisig/kompile_tool/kprove.sh
+++ b/multisig/kompile_tool/kprove.sh
@@ -16,6 +16,9 @@ shift
 PROOF_FILE=$(realpath $1)
 shift
 
+#BREADTH=$1
+#shift
+
 MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
 
 cp -rL $KOMPILE_DIR $TMP_DIR
@@ -26,12 +29,16 @@ KOMPILE_TOOL_DIR=kompile_tool
 KPROVE=$(realpath $KOMPILE_TOOL_DIR/k/bin/kprove)
 REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
-BACKEND_COMMAND="kore-exec"
+#KORE_EXEC="kore-exec --breadth $BREADTH"
+KORE_EXEC="kore-exec --breadth $BREADTH"
+KORE_REPL="kore-repl --repl-script $REPL_SCRIPT"
+
+BACKEND_COMMAND=$KORE_EXEC
 if [ $# -eq 0 ]; then
-  BACKEND_COMMAND="kore-exec"
+  BACKEND_COMMAND=$KORE_EXEC
 else
   if [ "$1" == "--debug" ]; then
-    BACKEND_COMMAND="kore-repl --repl-script $REPL_SCRIPT"
+    BACKEND_COMMAND=$KORE_REPL
   else
     echo "Unknown argument: '$1'"
     exit 1
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index 61c34294a..923cdc779 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -299,17 +299,19 @@ def _kore_test_impl(ctx):
 
   script_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
 
-  tool_call = "kompile_tool/kore_tool %s %s %s %s %s" % (
+  tool_call = "kompile_tool/kore_tool %s %s %s %s %s %s" % (
+      ctx.attr.module,
       ctx.attr.kompiled[KompileInfo].files[0].short_path,
       ctx.attr.kompiled[KproveInfo].definition.short_path,
       ctx.attr.kompiled[KproveInfo].spec.short_path,
       ctx.attr.kompiled[KproveInfo].command.short_path,
-      ctx.label.name + '.output.k')
+      ctx.label.name + '.output.k',
+      ctx.attr.breadth)
 
   command_parts = [
-      "pushd $(pwd)",
+      "pushd $(pwd) > /dev/null",
       "%s --debug" % tool_call,
-      "popd",
+      "popd > /dev/null",
   ]
   script_lines = [
       "#!/usr/bin/env bash",
@@ -340,7 +342,8 @@ def _kore_test_impl(ctx):
 kore_test = rule(
     implementation = _kore_test_impl,
     attrs = {
-        "kompiled": attr.label(providers=[KproveInfo]),
+        "kompiled": attr.label(providers=[KproveInfo], mandatory=True),
+        "module": attr.string(mandatory=True),
         "kore_tool": attr.label(
             executable = True,
             cfg = "exec",
@@ -373,6 +376,7 @@ def kprove_test(*, name, srcs, trusted=[], semantics, timeout="short"):
 
   kore_test(
     name = name,
+    module = name.upper(),
     kompiled = ":%s-kompile" % name,
     timeout = timeout,
   )
diff --git a/multisig/protocol-correctness/proof/.gitignore b/multisig/protocol-correctness/proof/.gitignore
index d973ef30c..88cc470a3 100644
--- a/multisig/protocol-correctness/proof/.gitignore
+++ b/multisig/protocol-correctness/proof/.gitignore
@@ -6,4 +6,5 @@ kore-repl*
 *.eventlog
 out
 .out
-.deps
\ No newline at end of file
+.deps
+trusted-*.k
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 835202d75..44a777802 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -34,19 +34,10 @@ kprove_test(
 )
 
 kprove_test(
-  name = "proof-perform-action-endpoint-no-quorum-no-signers",
-  srcs = ["proof-perform-action-endpoint-no-quorum-no-signers.k"],
-  trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-no-signers"],
+  name = "proof-perform-action-endpoint-no-quorum",
+  srcs = ["proof-perform-action-endpoint-no-quorum.k"],
+  trusted = [":trusted-perform-action-endpoint-fragment-no-quorum"],
   semantics = ":functions-execute",
-  timeout = "moderate",
-)
-
-kprove_test(
-  name = "proof-perform-action-endpoint-no-quorum-has-signers",
-  srcs = ["proof-perform-action-endpoint-no-quorum-has-signers.k"],
-  trusted = [":trusted-perform-action-endpoint-fragment-no-quorum-has-signers"],
-  semantics = ":functions-execute",
-  timeout = "long",
 )
 
 kprove_test(
@@ -57,6 +48,7 @@ kprove_test(
       ":trusted-perform-action-id-nothing",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -67,6 +59,7 @@ kprove_test(
       ":trusted-perform-action-id-remove-user-BoardMember",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -135,6 +128,17 @@ kprove_test(
   timeout = "moderate",
 )
 
+kprove_test(
+  name = "proof-perform-action-endpoint-remove-user-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-eq.k"],
+  trusted = [
+      ":trusted-perform-action-endpoint-fragment-performs",
+      ":trusted-perform-action-id-remove-user-Proposer",
+  ],
+  semantics = ":functions-execute",
+  timeout = "moderate",
+)
+
 kprove_test(
   name = "proof-perform-action-endpoint-remove-user-None",
   srcs = ["proof-perform-action-endpoint-remove-user-None.k"],
@@ -143,6 +147,7 @@ kprove_test(
       ":trusted-perform-action-id-remove-user-None",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -164,6 +169,7 @@ kprove_test(
       ":trusted-perform-action-id-change-quorum",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -174,6 +180,7 @@ kprove_test(
       ":trusted-perform-action-id-change-quorum-no-quorum",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -228,6 +235,7 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-Proposer",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -248,6 +256,7 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-New",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -258,6 +267,7 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-None",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -323,6 +333,7 @@ kprove_test(
       ":trusted-perform-action-id-add-board-member-None",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -333,6 +344,7 @@ kprove_test(
       ":trusted-perform-action-id-send-egld",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -343,6 +355,7 @@ kprove_test(
       ":trusted-perform-action-id-sc-call",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -353,6 +366,7 @@ kprove_test(
       ":trusted-perform-action-id-sc-deploy",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -368,16 +382,8 @@ kprove_test(
 )
 
 kprove_test(
-  name = "proof-perform-action-endpoint-fragment-no-quorum-no-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
-  trusted = ["trusted-count-can-sign"],
-  semantics = ":functions-execute",
-  timeout = "moderate",
-)
-
-kprove_test(
-  name = "proof-perform-action-endpoint-fragment-no-quorum-has-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
+  name = "proof-perform-action-endpoint-fragment-no-quorum",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
@@ -466,6 +472,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-proposer-BoardMember-no-quorum.k"],
   trusted = [":trusted-perform-action-add-proposer-BoardMember-no-quorum"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -513,6 +520,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-BoardMember.k"],
   trusted = [":trusted-perform-action-add-board-member-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -520,6 +528,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-Proposer.k"],
   trusted = [":trusted-perform-action-add-board-member-Proposer"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -527,6 +536,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-add-board-member-None.k"],
   trusted = [":trusted-perform-action-add-board-member-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -541,6 +551,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-sc-call.k"],
   trusted = [":trusted-perform-action-sc-call"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -548,6 +559,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-sc-deploy.k"],
   trusted = [":trusted-perform-action-sc-deploy"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -562,6 +574,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-BoardMember-too-few.k"],
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -590,6 +603,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -630,6 +644,7 @@ kprove_test(
   srcs = ["proof-perform-action-add-proposer-New.k"],
   trusted = [":trusted-change-user-role-New"],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -702,7 +717,7 @@ kprove_test(
   name = "proof-change-user-role-New",
   srcs = ["proof-change-user-role-New.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -731,7 +746,7 @@ kprove_test(
   srcs = ["proof-discard-action-has-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -775,7 +790,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -801,7 +816,7 @@ kprove_test(
   name = "proof-propose-action-Proposer",
   srcs = ["proof-propose-action-Proposer.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -945,14 +960,14 @@ kprove_test(
   name = "proof-unsign-other-signers-first",
   srcs = ["proof-unsign-other-signers-first.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
   name = "proof-unsign-other-signers-not-first",
   srcs = ["proof-unsign-other-signers-not-first.k"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",
 )
 
 kprove_test(
@@ -1128,13 +1143,8 @@ ktrusted(
 )
 
 ktrusted(
-  name = "trusted-perform-action-endpoint-fragment-no-quorum-no-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-no-signers.k"],
-)
-
-ktrusted(
-  name = "trusted-perform-action-endpoint-fragment-no-quorum-has-signers",
-  srcs = ["proof-perform-action-endpoint-fragment-no-quorum-has-signers.k"],
+  name = "trusted-perform-action-endpoint-fragment-no-quorum",
+  srcs = ["proof-perform-action-endpoint-fragment-no-quorum.k"],
 )
 
 ktrusted(
@@ -1288,3 +1298,202 @@ ktrusted(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   visibility = ["//visibility:public"],
 )
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-add-board-member-BoardMember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-BoardMember",
+  srcs = ["proof-perform-action-endpoint-add-board-member-BoardMember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-New",
+  srcs = ["proof-perform-action-endpoint-add-board-member-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-None",
+  srcs = ["proof-perform-action-endpoint-add-board-member-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-add-board-member-Proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-board-member-Proposer",
+  srcs = ["proof-perform-action-endpoint-add-board-member-Proposer.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-BoardMember",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-New",
+  srcs = ["proof-perform-action-endpoint-add-proposer-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-None",
+  srcs = ["proof-perform-action-endpoint-add-proposer-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-add-proposer-Proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-add-proposer-Proposer",
+  srcs = ["proof-perform-action-endpoint-add-proposer-Proposer.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-change-quorum",
+  srcs = ["proof-perform-action-endpoint-change-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-change-quorum-no-quorum",
+  srcs = ["proof-perform-action-endpoint-change-quorum-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-New",
+  srcs = ["proof-perform-action-endpoint-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-None",
+  srcs = ["proof-perform-action-endpoint-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-no-quorum",
+  srcs = ["proof-perform-action-endpoint-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-nothing",
+  srcs = ["proof-perform-action-endpoint-nothing.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-BoardMember-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-BoardMember",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-BoardMember-too-few-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-action-endpoint-remove-user-BoardMember-too-few.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-New",
+  srcs = ["proof-perform-action-endpoint-remove-user-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-None",
+  srcs = ["proof-perform-action-endpoint-remove-user-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-Proposer-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-Proposer",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-Proposer-nobody-left-eq",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-action-endpoint-remove-user-Proposer-nobody-left.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-sc-call",
+  srcs = ["proof-perform-action-endpoint-sc-call.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-sc-deploy",
+  srcs = ["proof-perform-action-endpoint-sc-deploy.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-action-endpoint-send-egld",
+  srcs = ["proof-perform-action-endpoint-send-egld.k"],
+  visibility = ["//visibility:public"],
+)
+
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
index 44ed2822e..049b6f179 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-None.k
@@ -9,7 +9,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-NONE
   imports FUNCTIONS-EXECUTE
 
   claim <T><TT>
-          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          <k> call(performActionEndpoint(_ActionId:Usize)) ~> K:K </k>
           invariantStateFull(
               NumUsers:Usize,
               UserIdToAddress:Map,
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
deleted file mode 100644
index 23bbc69d3..000000000
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-has-signers.k
+++ /dev/null
@@ -1,72 +0,0 @@
-//@ proof
-require "trusted-count-can-sign.k"  //@ Bazel remove
-
-module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
-  imports TRUSTED-COUNT-CAN-SIGN
-//@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
-//@ end
-  imports FUNCTIONS-EXECUTE
-
-  claim <T><TT>
-          <k> runPseudoCode(
-                  caller_address = getCaller();
-                  caller_id = getUserId(caller_address);
-                  caller_role = getUserIdToRole(caller_id);
-                  require(userRoleCanPerformAction(caller_role));
-                  require(quorumReached(ActionId:Usize));
-                  performActionFromId(ActionId);
-              )
-              ~> K:K
-          </k>
-          invariantStateFull(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              (UserId |-> Role:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
-              u(Quorum:Int),
-              ActionLastIndex:Usize,
-              ActionData:Map,
-              (ActionId |-> SignerIds:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
-              CallerAddress:Address,
-              Stack:Stack,
-              .Map,
-              PerformedActions:List
-              )
-        </TT></T>
-      =>
-        <T><TT>
-          <k> error ~> K:K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              NumBoardMembers,
-              NumProposers,
-              UserIdToRole,
-              u(Quorum),
-              ActionLastIndex,
-              ActionData,
-              ActionSigners,
-              CallerAddress,
-              Stack,
-              caller_address |-> CallerAddress
-                caller_id |-> UserId
-                caller_role |-> Role,
-              PerformedActions
-              )
-        </TT></T>
-    requires true
-        andBool userIdToRoleInvariant(UserIdToRole)
-        andBool actionSignersInvariant(ActionSigners)
-
-        andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool Quorum >Int countCanSignFunction(SignerIds, opaque(UserIdToRole))
-    ensures true
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum.k
similarity index 89%
rename from multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k
rename to multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum.k
index d131eab6a..92569abe0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum-no-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-fragment-no-quorum.k
@@ -1,10 +1,10 @@
 //@ proof
 require "trusted-count-can-sign.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM
   imports TRUSTED-COUNT-CAN-SIGN
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM
 //@ end
   imports FUNCTIONS-EXECUTE
 
@@ -63,8 +63,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
         andBool actionSignersInvariant(ActionSigners)
 
         andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool notBool ActionId in_keys(ActionSigners)
-        andBool Quorum >Int 0
+        andBool Quorum >Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures true
     //@ proof
     //@ trusted
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum.k
similarity index 80%
rename from multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
rename to multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum.k
index b5ca30344..3005141df 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum.k
@@ -1,10 +1,10 @@
 //@ proof
 require "trusted-perform-action-endpoint-fragment-no-quorum-has-signers.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-HAS-SIGNERS
-  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-HAS-SIGNERS
+module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-HAS-SIGNERS
+// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM
 //@ end
   imports FUNCTIONS-EXECUTE
 
@@ -50,9 +50,10 @@ module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-HAS-SIGNERS
               )
         </TT></T>
     requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
         andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool notBool ActionId in_keys(ActionSigners)
-        andBool Quorum >Int 0
+        andBool Quorum >Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures true
     //@ proof
     //@ trusted
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
index 3e981d863..9379609df 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-BoardMember-eq.k
@@ -20,8 +20,9 @@ module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-EQ
               ) #as AddressToUserId:Map,
               u(NumBoardMembers:Int),
               u(NumProposers:Int),
-              CallerId |-> BoardMember
-                  UserIdToRole:Map,
+              (CallerId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
               u(Quorum:Int),
               ActionLastIndex:Usize,
               ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
@@ -42,7 +43,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-EQ
               AddressToUserId,
               u(NumBoardMembers -Int 1),
               u(NumProposers),
-              UserIdToRole,
+              UserIdToRoleInner,
               u(Quorum),
               ActionLastIndex,
               ActionData,
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
index 1e8cffb43..9e125b78e 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
+++ b/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-remove-user-Proposer-eq.k
@@ -43,7 +43,7 @@ module PROOF-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-EQ
               AddressToUserId,
               u(NumBoardMembers),
               u(NumProposers -Int 1),
-              (CallerId |-> Role UserIdToRoleInner),
+              UserIdToRoleInner,
               u(Quorum),
               ActionLastIndex,
               ActionData,
diff --git a/multisig/protocol-correctness/proof/invariant/BUILD b/multisig/protocol-correctness/proof/invariant/BUILD
new file mode 100644
index 000000000..09a30eb60
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/BUILD
@@ -0,0 +1,479 @@
+load("//:proof.bzl", "kompile", "kprove_test", "ktrusted", "klibrary", "kore_test", "kprove_kompile")
+
+kompile(
+  name = "invariant-execution",
+  srcs = ["invariant-execution.k"],
+  deps = [
+      ":count-can-sign-parts-files",
+      ":init-loop-parts-files",
+      ":perform-parts-files",
+      "//protocol-correctness/proof:execution-proof-files",
+      "//protocol-correctness/proof/functions:functions-execute-files",
+  ],
+)
+
+# TODO: Delete.
+klibrary(
+  name = "count-can-sign-parts-files",
+  srcs = ["count-can-sign-parts.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-helpers-files",
+      "//protocol-correctness/proof:invariant-files",
+      "//protocol-correctness:pseudocode-files",
+  ],
+)
+
+klibrary(
+  name = "init-loop-parts-files",
+  srcs = ["init-loop-parts.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-helpers-files",
+      "//protocol-correctness/proof:invariant-files",
+      "//protocol-correctness:pseudocode-files",
+  ],
+)
+
+# TODO: Delete.
+klibrary(
+  name = "perform-parts-files",
+  srcs = ["perform-parts.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-helpers-files",
+      "//protocol-correctness/proof:invariant-files",
+      "//protocol-correctness:pseudocode-files",
+  ],
+)
+
+# kprove_test(
+#   name = "proof-discard-action",
+#   srcs = ["proof-discard-action.k"],
+#   trusted = [
+#       "//protocol-correctness/proof/functions:trusted-discard-action-has-signers",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-role",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-signers",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-signers-no-action",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-user",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-valid-signers",
+#       "//protocol-correctness/proof/functions:trusted-discard-action-no-valid-signers-no-action",
+#   ],
+#   semantics = ":invariant-execution",
+# )
+
+# kprove_test(
+#   name = "proof-perform-action-endpoint",
+#   srcs = ["proof-perform-action-endpoint.k"],
+#   trusted = [
+#   ],
+#   semantics = ":invariant-execution",
+# )
+
+kprove_test(
+  name = "proof-perform-parts-change-quorum",
+  srcs = ["proof-perform-parts-change-quorum.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-change-quorum",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-change-quorum-no-quorum",
+  srcs = ["proof-perform-parts-change-quorum-no-quorum.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-change-quorum-no-quorum",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-New",
+  srcs = ["proof-perform-parts-New.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-New",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-None",
+  srcs = ["proof-perform-parts-None.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-None",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-no-quorum",
+  srcs = ["proof-perform-parts-no-quorum.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-no-quorum",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-nothing",
+  srcs = ["proof-perform-parts-nothing.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-nothing",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-sc-call",
+  srcs = ["proof-perform-parts-sc-call.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-sc-call",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-sc-deploy",
+  srcs = ["proof-perform-parts-sc-deploy.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-sc-deploy",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-send-egld",
+  srcs = ["proof-perform-parts-send-egld.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-send-egld",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member",
+  srcs = ["proof-perform-parts-add-board-member.k"],
+  trusted = [
+      ":trusted-perform-parts-add-board-member-boardmember-eq",
+      ":trusted-perform-parts-add-board-member-boardmember",
+      ":trusted-perform-parts-add-board-member-new",
+      ":trusted-perform-parts-add-board-member-none",
+      ":trusted-perform-parts-add-board-member-proposer-eq",
+      ":trusted-perform-parts-add-board-member-proposer",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer",
+  srcs = ["proof-perform-parts-add-proposer.k"],
+  trusted = [
+      ":trusted-perform-parts-add-proposer-BoardMember-eq",
+      ":trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq",
+      ":trusted-perform-parts-add-proposer-BoardMember-no-quorum",
+      ":trusted-perform-parts-add-proposer-BoardMember",
+      ":trusted-perform-parts-add-proposer-New",
+      ":trusted-perform-parts-add-proposer-None",
+      ":trusted-perform-parts-add-proposer-Proposer-eq",
+      ":trusted-perform-parts-add-proposer-Proposer",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-boardmember-eq",
+  srcs = ["proof-perform-parts-add-board-member-boardmember-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-BoardMember-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-boardmember",
+  srcs = ["proof-perform-parts-add-board-member-boardmember.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-BoardMember",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-new",
+  srcs = ["proof-perform-parts-add-board-member-new.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-New",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-none",
+  srcs = ["proof-perform-parts-add-board-member-none.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-None",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-proposer-eq",
+  srcs = ["proof-perform-parts-add-board-member-proposer-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-Proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-proposer",
+  srcs = ["proof-perform-parts-add-board-member-proposer.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-board-member-Proposer",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-BoardMember-eq",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-BoardMember-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-BoardMember",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-BoardMember",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-BoardMember-no-quorum-eq",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-no-quorum.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-New",
+  srcs = ["proof-perform-parts-add-proposer-New.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-New",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-None",
+  srcs = ["proof-perform-parts-add-proposer-None.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-None",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-Proposer-eq",
+  srcs = ["proof-perform-parts-add-proposer-Proposer-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-Proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-Proposer",
+  srcs = ["proof-perform-parts-add-proposer-Proposer.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-add-proposer-Proposer",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-BoardMember-eq",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-BoardMember-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-BoardMember",
+  srcs = ["proof-perform-parts-remove-user-BoardMember.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-BoardMember",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-BoardMember-too-few-eq",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-too-few-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-BoardMember-too-few-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-too-few.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-BoardMember-too-few",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-New",
+  srcs = ["proof-perform-parts-remove-user-New.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-New",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-None",
+  srcs = ["proof-perform-parts-remove-user-None.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-None",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-Proposer-eq",
+  srcs = ["proof-perform-parts-remove-user-Proposer-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-Proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-Proposer",
+  srcs = ["proof-perform-parts-remove-user-Proposer.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-Proposer",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-Proposer-nobody-left-eq",
+  srcs = ["proof-perform-parts-remove-user-Proposer-nobody-left-eq.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-Proposer-nobody-left-eq",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-parts-remove-user-Proposer-nobody-left.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-remove-user-Proposer-nobody-left",
+  ],
+  semantics = ":invariant-execution",
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-boardmember-eq",
+  srcs = ["proof-perform-parts-add-board-member-boardmember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-boardmember",
+  srcs = ["proof-perform-parts-add-board-member-boardmember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-new",
+  srcs = ["proof-perform-parts-add-board-member-new.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-none",
+  srcs = ["proof-perform-parts-add-board-member-none.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-proposer-eq",
+  srcs = ["proof-perform-parts-add-board-member-proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-proposer",
+  srcs = ["proof-perform-parts-add-board-member-proposer.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-BoardMember-eq",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-BoardMember-no-quorum",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-BoardMember",
+  srcs = ["proof-perform-parts-add-proposer-BoardMember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-New",
+  srcs = ["proof-perform-parts-add-proposer-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-None",
+  srcs = ["proof-perform-parts-add-proposer-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-Proposer-eq",
+  srcs = ["proof-perform-parts-add-proposer-Proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-Proposer",
+  srcs = ["proof-perform-parts-add-proposer-Proposer.k"],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
index 83f9da248..e968baf61 100644
--- a/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/count-can-sign-parts.k
@@ -1,3 +1,7 @@
+require "protocol-correctness/pseudocode.k"
+require "protocol-correctness/proof/execution-proof-helpers.k"
+require "protocol-correctness/proof/invariant.k"
+
 module COUNT-CAN-SIGN-PARTS
   imports EXECUTION-PROOF-HELPERS
   imports INVARIANT-HELPERS
@@ -18,7 +22,7 @@ module COUNT-CAN-SIGN-PARTS
             performedActions:List)
       [function, functional]
 
-  rule Stack(
+  rule countCanSignLhs(
             SignerIds:ExpressionList,
             K:K,
             Users:UsersCell,
@@ -152,7 +156,7 @@ module COUNT-CAN-SIGN-PARTS
             quorum:KItem,
             ActionStateCell,
             variables:Map,
-            Stack:Stack,
+            stack:Stack,
             ExternalCallEnvCell)
       [function, functional]
 
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index 1a0d71e3d..91e59497d 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -1,3 +1,7 @@
+require "protocol-correctness/pseudocode.k"
+require "protocol-correctness/proof/execution-proof-helpers.k"
+require "protocol-correctness/proof/invariant.k"
+
 module INIT-LOOP-PARTS
   imports PSEUDOCODE
   imports EXECUTION-PROOF-HELPERS
@@ -13,7 +17,7 @@ module INIT-LOOP-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            Stack:Stack,
+            stack:Stack,
             ExternalCallEnvCell,
             address:Expression,
             userId:Usize)
@@ -85,7 +89,7 @@ module INIT-LOOP-PARTS
             quorum:Usize,
             ActionStateCell,
             variables:Map,
-            Stack:Stack,
+            stack:Stack,
             ExternalCallEnvCell,
             index:Usize,
             address:Expression,
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index c7e0c8175..9084487ea 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -1,23 +1,14 @@
-require "../execution-proof.k"
-require "../functions/functions-execute.k"
+require "protocol-correctness/proof/execution-proof.k"
+require "protocol-correctness/proof/functions/functions-execute.k"
 
-require "count-can-sign-parts.k"
-require "init-loop-parts.k"
-require "perform-parts.k"
+require "protocol-correctness/proof/invariant/count-can-sign-parts.k"
+require "protocol-correctness/proof/invariant/init-loop-parts.k"
+require "protocol-correctness/proof/invariant/perform-parts.k"
 
 module INVARIANT-EXECUTION-SYNTAX
   imports EXECUTION-PROOF-SYNTAX
 endmodule
 
-// TODO: Delete.
-module TEST
-  imports INT
-
-  syntax KItem ::= sub(Int)
-  rule sub(I:Int) => .K requires I <=Int 0
-  rule sub(I:Int) => sub(I -Int 1) requires notBool (I <=Int 0)
-endmodule
-
 module INVARIANT-INSTRUMENTATION
   imports MAP
 
@@ -568,6 +559,493 @@ module DISCARD-ACTION-INSTRUMENTATION
 
 endmodule
 
+module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+  // This is a diagram of the splits attempted here. The k files have only
+  // their suffix. The missing prefix is 'proof-perform-action-endpoint-'.
+  //
+  // Has caller user?
+  // No: New.k
+  // Yes: Has caller role?
+  //   No: None.k
+  //   Yes: Has quorum?
+  //     No: TODO: merge no-quorum-has-signers.k + no-quorum-no-signers.k
+  //     Yes: Has action?
+  //       No: TODO: nothing.k
+  //       Yes: split action
+  //         action=add-board-member: Is same as caller?
+  //           No: New user?
+  //             Yes: add-board-member-New.k
+  //             No: Has role?
+  //               No: add-board-member-None.k
+  //               Yes: split role
+  //                 role=proposer? add-board-member-Proposer.k
+  //                 role=board-member? add-board-member-BoardMember.k
+  //           Yes: split role
+  //             role=proposer? add-board-member-Proposer-eq.k
+  //             role=board-member? add-board-member-BoardMember-eq.k
+  //         action=add-proposer: Is same as caller?
+  //           No: New user?
+  //             Yes: add-proposer-New.k
+  //             No: Has role?
+  //               No: add-proposer-None.k
+  //               Yes: split role
+  //                 role=proposer? add-proposer-Proposer.k
+  //                 role=board-member? goes-below-quorum?
+  //                   Yes: add-proposer-BoardMember-no-quorum.k
+  //                   No: add-proposer-BoardMember.k
+  //           Yes: split role
+  //             role=proposer? add-proposer-Proposer-eq.k
+  //             role=board-member? goes-below-quorum?
+  //               Yes: add-proposer-BoardMember-no-quorum-eq.k
+  //               No: add-proposer-BoardMember-eq.k
+  //         action=change-quorum: goes-below-quorum?
+  //           Yes: change-quorum-no-quorum.k
+  //           No: change-quorum.k
+  //         action=remove-user: Is same as caller?
+  //           No: New user?
+  //             Yes: remove-user-New.k
+  //             No: Has role?
+  //               No: remove-user-None.k
+  //               Yes: split role
+  //                 role = proposer: has-people-left?
+  //                   Yes: remove-user-Proposer.k
+  //                   No: remove-user-Proposer-nobody-left.k
+  //                 role = board-member: can-still-vote-execute?
+  //                   Yes: remove-user-BoardMember.k
+  //                   No: remove-user-BoardMember-too-few.k
+  //           Yes: split role
+  //             role = proposer: has-people-left?
+  //               Yes: remove-user-Proposer-eq.k
+  //               No: remove-user-Proposer-nobody-left-eq.k
+  //             role = board-member: can-still-vote-execute?
+  //               Yes: remove-user-BoardMember-eq.k
+  //               No: remove-user-BoardMember-too-few-eq.k
+  //         action=sc-call? sc-call.k
+  //         action=sc-deploy? sc-deploy.k
+  //         action=send-egld? send-egld.k
+
+  imports PERFORM-SPLIT-ACTION-INSTRUMENTATION
+  imports PROOF-INSTRUMENTATION
+  imports EXECUTION-PROOF
+  imports PSEUDOCODE
+
+  // The Haskell backend sometimes leaves traces of
+  // (trusted) claims that failed to apply in the predicate.
+  // Sometimes, these traces increase the execution time by a lot,
+  // so we have to work around this.
+  //
+  // The symbols below allow us to wrap those claims in another set of claims,
+  // which can be attemped without leaving traces.
+  syntax ProofBranch ::= "new.k"
+  syntax ProofBranch ::= "none.k"
+  syntax ProofBranch ::= "no-quorum.k"
+  syntax ProofBranch ::= "add-board-member-New.k"
+  syntax ProofBranch ::= "add-board-member-None.k"
+  syntax ProofBranch ::= "add-board-member-BoardMember.k"
+  syntax ProofBranch ::= "add-board-member-Proposer.k"
+  syntax ProofBranch ::= "add-board-member-BoardMember-eq.k"
+  syntax ProofBranch ::= "add-board-member-Proposer-eq.k"
+  syntax ProofBranch ::= "add-proposer-New.k"
+  syntax ProofBranch ::= "add-proposer-None.k"
+  syntax ProofBranch ::= "add-proposer-BoardMember.k"
+  syntax ProofBranch ::= "add-proposer-BoardMember-no-quorum.k"
+  syntax ProofBranch ::= "add-proposer-Proposer.k"
+  syntax ProofBranch ::= "add-proposer-BoardMember-eq.k"
+  syntax ProofBranch ::= "add-proposer-BoardMember-no-quorum-eq.k"
+  syntax ProofBranch ::= "add-proposer-Proposer-eq.k"
+  syntax ProofBranch ::= "change-quorum.k"
+  syntax ProofBranch ::= "change-quorum-no-quorum.k"
+  syntax ProofBranch ::= "nothing.k"
+  syntax ProofBranch ::= "remove-user-New.k"
+  syntax ProofBranch ::= "remove-user-None.k"
+  syntax ProofBranch ::= "remove-user-BoardMember-too-few.k"
+  syntax ProofBranch ::= "remove-user-BoardMember.k"
+  syntax ProofBranch ::= "remove-user-Proposer-nobody-left.k"
+  syntax ProofBranch ::= "remove-user-Proposer.k"
+  syntax ProofBranch ::= "remove-user-Proposer-nobody-left-eq.k"
+  syntax ProofBranch ::= "remove-user-Proposer-eq.k"
+  syntax ProofBranch ::= "remove-user-BoardMember-too-few-eq.k"
+  syntax ProofBranch ::= "remove-user-BoardMember-eq.k"
+  syntax ProofBranch ::= "sc-call.k"
+  syntax ProofBranch ::= "sc-deploy.k"
+  syntax ProofBranch ::= "send-egld.k"
+
+  syntax KItem ::= ProofBranch
+
+  // TODO: It might be faster to enumerate all cases separately.
+  rule _:ProofBranch => .K
+
+  syntax KItem ::= splitPerformActionEndpoint(actionId:Usize)
+  syntax KItem ::= splitPerformActionEndpoint1(actionId:Usize)
+  syntax KItem ::= splitPerformActionEndpoint2(actionId:Usize)
+  syntax KItem ::= splitPerformActionEndpoint3(action:Action)
+  syntax KItem ::= splitPerformActionEndpoint4(action:Action)
+
+  rule  preCall
+        ~> (.K => splitPerformActionEndpoint(ActionId))
+        ~> call(performActionEndpoint(ActionId:Usize))
+    [priority(20)]
+
+  rule <k> splitPerformActionEndpoint(ActionId:Usize)
+          =>  branchK(
+                CallerAddress in_keys(AddressToUserId),
+                splitPerformActionEndpoint1(ActionId),
+                new.k
+              )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+
+  rule <k> splitPerformActionEndpoint1(ActionId:Usize)
+          =>  makeConcreteValue(CallerAddress, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[CallerAddress] in_keys(UserIdToRole),
+                    branchK(
+                      Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole)),
+                      branchK(
+                        ActionId in_keys(ActionData),
+                        splitPerformActionEndpoint2(ActionId),
+                        nothing.k
+                      ),
+                      no-quorum.k
+                    ),
+                    none.k
+                  )
+        ... </k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <quorum>u(Quorum:Int)</quorum>
+        <user-roles> UserIdToRole:Map </user-roles>
+        <caller-address>CallerAddress:Address</caller-address>
+        <action-signers>ActionSigners:Map</action-signers>
+        <action-data>ActionData:Map</action-data>
+    requires CallerAddress in_keys(AddressToUserId)
+
+  syntax Bool ::= isAddBoardMember(Action)  [function, functional]
+  rule isAddBoardMember(AddBoardMember(_)) => true
+  rule isAddBoardMember(_) => false [owise]
+
+  syntax Bool ::= isAddProposer(Action)  [function, functional]
+  rule isAddProposer(AddProposer(_)) => true
+  rule isAddProposer(_) => false [owise]
+
+  syntax Bool ::= isChangeQuorum(Action)  [function, functional]
+  rule isChangeQuorum(ChangeQuorum(_)) => true
+  rule isChangeQuorum(_) => false [owise]
+
+  syntax Bool ::= isRemoveUser(Action)  [function, functional]
+  rule isRemoveUser(RemoveUser(_)) => true
+  rule isRemoveUser(_) => false [owise]
+
+  syntax Bool ::= isScCall(Action)  [function, functional]
+  rule isScCall(SCCall(_, _, _, _)) => true
+  rule isScCall(_) => false [owise]
+
+  syntax Bool ::= isScDeploy(Action)  [function, functional]
+  rule isScDeploy(SCDeploy(_, _, _, _)) => true
+  rule isScDeploy(_) => false [owise]
+
+  syntax Bool ::= isSendEgld(Action)  [function, functional]
+  rule isSendEgld(SendEgld(_, _, _)) => true
+  rule isSendEgld(_) => false [owise]
+
+  rule  <k> splitPerformActionEndpoint2(ActionId)
+          =>  makeConcreteValue(ActionId, rAction, ActionData)
+              ~> splitPerformActionEndpoint3({ActionData[ActionId]}:>Action)
+        </k>
+        <action-data>ActionData:Map</action-data>
+    requires ActionId in_keys(ActionData)
+
+  syntax KItem ::= "action-splitted"
+  rule action-splitted => .K
+
+  rule  splitPerformActionEndpoint3(Action:Action)
+        =>  splitAction(Action)
+            ~> splitPerformActionEndpoint4(Action)
+
+  rule  splitPerformActionEndpoint4(Action:Action)
+        =>  branchK(
+              isAddBoardMember(Action),
+              splitAddBoardMember(Action),
+              branchK(
+                isAddProposer(Action),
+                splitAddProposer(Action),
+                branchK(
+                  isChangeQuorum(Action),
+                  splitChangeQuorum(Action),
+                  branchK(
+                    isRemoveUser(Action),
+                    splitRemoveUser(Action),
+                    branchK(
+                      isScCall(Action),
+                      sc-call.k,
+                      branchK(
+                        isScDeploy(Action),
+                        sc-deploy.k,
+                        branchK(
+                          isSendEgld(Action),
+                          send-egld.k,
+                          stuck
+                        )
+                      )
+                    )
+                  )
+                )
+              )
+          )
+
+  syntax KItem ::= splitAddBoardMember(Action)
+  syntax KItem ::= splitAddBoardMember1(Address)
+  syntax KItem ::= splitAddBoardMember2(Address)
+  syntax KItem ::= splitAddBoardMember3(Address)
+
+  rule  <k>
+          splitAddBoardMember(AddBoardMember(UserAddress:Address))
+          =>  branchK(
+                UserAddress ==K CallerAddress,
+                splitAddBoardMember1(UserAddress),
+                branchK(
+                  UserAddress in_keys(AddressToUserId),
+                  splitAddBoardMember2(UserAddress),
+                  add-board-member-New.k
+                )
+              )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+
+  rule  <k>
+          splitAddBoardMember1(CallerAddress:Address)
+          =>  makeConcreteValue(CallerId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[CallerId] ==K BoardMember,
+                    add-board-member-BoardMember-eq.k,
+                    branchK(
+                      UserIdToRole[CallerId] ==K Proposer,
+                      add-board-member-Proposer-eq.k,
+                      stuck
+                    )
+                  )
+        ...</k>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>CallerAddress |-> CallerId:Usize _AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+    requires CallerId in_keys(UserIdToRole)
+
+  rule  <k>
+          splitAddBoardMember2(UserAddress:Address)
+          =>  makeConcreteValue(UserAddress, rUsize, AddressToUserId)
+              ~> branchK(
+                AddressToUserId[UserAddress] in_keys(UserIdToRole),
+                splitAddBoardMember3(UserAddress),
+                add-board-member-None.k
+              )
+        ...</k>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires UserAddress in_keys(AddressToUserId)
+
+  rule  <k>
+          splitAddBoardMember3(UserAddress:Address)
+          =>  makeConcreteValue(UserId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[UserId] ==K BoardMember,
+                    add-board-member-BoardMember.k,
+                    branchK(
+                      UserIdToRole[UserId] ==K Proposer,
+                      add-board-member-Proposer.k,
+                      stuck
+                    )
+              )
+        ...</k>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>UserAddress |-> UserId:Usize _AddressToUserId:Map</address-to-user-id>
+    requires UserId in_keys(UserIdToRole)
+
+  syntax KItem ::= splitAddProposer(Action)
+  syntax KItem ::= splitAddProposer1(Address)
+  syntax KItem ::= splitAddProposer2(Address)
+  syntax KItem ::= splitAddProposer3(Address)
+  rule  <k>
+          splitAddProposer(AddProposer(UserAddress:Address))
+          =>  branchK(
+                UserAddress ==K CallerAddress,
+                splitAddProposer1(UserAddress),
+                branchK(
+                  UserAddress in_keys(AddressToUserId),
+                  splitAddProposer2(UserAddress),
+                  add-proposer-New.k
+                )
+              )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+
+  rule  <k>
+          splitAddProposer1(CallerAddress:Address)
+          =>  makeConcreteValue(CallerId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[CallerId] ==K BoardMember,
+                    branchK(
+                      Quorum <=Int NumBoardMembers -Int 1,
+                      add-proposer-BoardMember-eq.k,
+                      add-proposer-BoardMember-no-quorum-eq.k
+                    ),
+                    branchK(
+                      UserIdToRole[CallerId] ==K Proposer,
+                      add-proposer-Proposer-eq.k,
+                      stuck
+                    )
+              )
+        ...</k>
+        <num-board-members>u(NumBoardMembers)</num-board-members>
+        <quorum>u(Quorum)</quorum>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>CallerAddress |-> CallerId:Usize _AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+    requires CallerId in_keys(UserIdToRole)
+
+  rule  <k>
+          splitAddProposer2(UserAddress:Address)
+          =>  makeConcreteValue(UserAddress, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[UserAddress] in_keys(UserIdToRole),
+                    splitAddProposer3(UserAddress),
+                    add-proposer-None.k
+                  )
+        ...</k>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires UserAddress in_keys(AddressToUserId)
+
+  rule  <k>
+          splitAddProposer3(UserAddress:Address)
+          =>  makeConcreteValue(UserId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[UserId] ==K BoardMember,
+                    branchK(
+                      Quorum ==Int NumBoardMembers,
+                      add-proposer-BoardMember-no-quorum.k,
+                      add-proposer-BoardMember.k
+                    ),
+                    branchK(
+                      UserIdToRole[UserId] ==K Proposer,
+                      add-proposer-Proposer.k,
+                      stuck
+                    )
+                  )
+        ...</k>
+        <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+        <quorum>u(Quorum:Int)</quorum>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>UserAddress |-> UserId:Usize _AddressToUserId:Map</address-to-user-id>
+    requires UserId in_keys(UserIdToRole)
+
+  syntax KItem ::= splitChangeQuorum(Action)
+
+  rule  <k>
+          splitChangeQuorum(ChangeQuorum(u(NewQuorum:Int)))
+          => branchK(
+              NewQuorum >Int NumBoardMembers,
+              change-quorum-no-quorum.k,
+              change-quorum.k
+          )
+        ...</k>
+        <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+
+  syntax KItem ::= splitRemoveUser(Action)
+  syntax KItem ::= splitRemoveUser1(Address)
+  syntax KItem ::= splitRemoveUser2(Address)
+  syntax KItem ::= splitRemoveUser3(Address)
+
+  rule  <k>
+          splitRemoveUser(RemoveUser(UserAddress:Address))
+          =>  branchK(
+                UserAddress ==K CallerAddress,
+                splitRemoveUser1(UserAddress),
+                branchK(
+                  UserAddress in_keys(AddressToUserId),
+                  splitRemoveUser2(UserAddress),
+                  remove-user-New.k
+                )
+              )
+        ...</k>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+
+  rule  <k>
+          splitRemoveUser1(CallerAddress:Address)
+          =>  makeConcreteValue(CallerId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[CallerId] ==K BoardMember,
+                    branchK(
+                      NumBoardMembers +Int NumProposers ==Int 1
+                          orBool Quorum ==Int NumBoardMembers,
+                      remove-user-Proposer-nobody-left-eq.k,
+                      remove-user-Proposer-eq.k
+                    ),
+                    branchK(
+                      UserIdToRole[CallerId] ==K Proposer,
+                      branchK(
+                        NumBoardMembers +Int NumProposers ==Int 1,
+                        remove-user-BoardMember-too-few-eq.k,
+                        remove-user-BoardMember-eq.k
+                      ),
+                      stuck
+                    )
+                  )
+        ...</k>
+        <num-board-members>u(NumBoardMembers)</num-board-members>
+        <num-proposers>u(NumProposers)</num-proposers>
+        <quorum>u(Quorum)</quorum>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>CallerAddress |-> CallerId:Usize _AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+    requires CallerId in_keys(UserIdToRole)
+
+  rule  <k>
+          splitRemoveUser2(UserAddress:Address)
+          =>  makeConcreteValue(UserAddress, rUsize, AddressToUserId)
+              ~>  branchK(
+                    AddressToUserId[UserAddress] in_keys(UserIdToRole),
+                    splitRemoveUser3(UserAddress),
+                    remove-user-None.k
+                  )
+        ...</k>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>AddressToUserId:Map</address-to-user-id>
+    requires UserAddress in_keys(AddressToUserId)
+
+  rule  <k>
+          splitRemoveUser3(UserAddress:Address)
+          =>  makeConcreteValue(UserId, rUserRole, UserIdToRole)
+              ~>  branchK(
+                    UserIdToRole[UserId] ==K BoardMember,
+                    branchK(
+                      NumBoardMembers +Int NumProposers ==Int 1
+                          orBool Quorum ==Int NumBoardMembers,
+                      remove-user-BoardMember-too-few.k,
+                      remove-user-BoardMember.k
+                    ),
+                    branchK(
+                      UserIdToRole[UserId] ==K Proposer,
+                      branchK(
+                        NumBoardMembers +Int NumProposers ==Int 1,
+                        remove-user-Proposer-nobody-left.k,
+                        remove-user-Proposer.k
+                      ),
+                      stuck
+                    )
+                  )
+        ...</k>
+        <num-board-members>u(NumBoardMembers:Int)</num-board-members>
+        <num-proposers>u(NumProposers:Int)</num-proposers>
+        <quorum>u(Quorum:Int)</quorum>
+        <user-roles>UserIdToRole:Map</user-roles>
+        <address-to-user-id>UserAddress |-> UserId:Usize _AddressToUserId:Map</address-to-user-id>
+    requires UserId in_keys(UserIdToRole)
+
+endmodule
+
 module INVARIANT-EXECUTION
   imports EXECUTION-PROOF
   imports FUNCTIONS-EXECUTE
@@ -583,11 +1061,9 @@ module INVARIANT-EXECUTION
   imports PROPOSE-SC-DEPLOY-INSTRUMENTATION
   imports DISCARD-ACTION-INSTRUMENTATION
   imports UNSIGN-INSTRUMENTATION
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
 
   imports COUNT-CAN-SIGN-PARTS
   imports INIT-LOOP-PARTS
   imports PERFORM-PARTS
-
-  // TODO: Delete.
-  imports TEST
 endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index 278c46bbb..7882d701a 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -1,3 +1,7 @@
+require "protocol-correctness/pseudocode.k"
+require "protocol-correctness/proof/execution-proof-helpers.k"
+require "protocol-correctness/proof/invariant.k"
+
 module PERFORM-PARTS
 
   imports EXECUTION-PROOF-HELPERS
@@ -65,7 +69,7 @@ module PERFORM-PARTS
       userIdToRole:Map,
       quorum:Usize,
       ActionStateCell,
-      Stack:Stack,
+      stack:Stack,
       callerAddress:Address,
       performedActions:List)
     [function, functional]
@@ -81,7 +85,7 @@ module PERFORM-PARTS
           quorum:Usize,
           ActionStateCell,
           variables:Map,
-          Stack:Stack,
+          stack:Stack,
           callerAddress:Address,
           performedActions:List)
       [function, functional]
diff --git a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
index 1a7fe67be..3bcb019b0 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-count-can-sign.k
@@ -1,4 +1,6 @@
-module TRUSTED-COUNT-CAN-SIGN
+// TODO: Delete and use the one in functions
+
+module TRUSTED-COUNT-CAN-SIGNz
   imports COUNT-CAN-SIGN-PARTS
 
   claim <T> countCanSignLhs(
@@ -57,7 +59,7 @@ module TRUSTED-COUNT-CAN-SIGN
 
 endmodule
 
-module PROOF-COUNT-CAN-SIGN
+module PROOF-COUNT-CAN-SIGNz
   imports INVARIANT-EXECUTION
 
   claim <T> countCanSignLhs(
diff --git a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
index 8a1060ab7..acbb362a2 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-discard-action.k
@@ -1,10 +1,10 @@
-require "../functions/trusted-discard-action-has-signers.k"
-require "../functions/trusted-discard-action-no-role.k"
-require "../functions/trusted-discard-action-no-signers.k"
-require "../functions/trusted-discard-action-no-signers-no-action.k"
-require "../functions/trusted-discard-action-no-user.k"
-require "../functions/trusted-discard-action-no-valid-signers.k"
-require "../functions/trusted-discard-action-no-valid-signers-no-action.k"
+require "protocol-correctness/proof/functions/trusted-discard-action-has-signers.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-role.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-signers.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-signers-no-action.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-user.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-valid-signers.k"  //@ Bazel remove
+require "protocol-correctness/proof/functions/trusted-discard-action-no-valid-signers-no-action.k"  //@ Bazel remove
 
 module PROOF-DISCARD-ACTION
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
deleted file mode 100644
index 93f994d20..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-board-member.k
+++ /dev/null
@@ -1,126 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-require "../functions/trusted-change-user-role-None.k"
-
-module TRUSTED-PERFORM-ADD-BOARD-MEMBER
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddBoardMember(_BoardMemberAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-BOARD-MEMBER
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddBoardMember(_BoardMemberAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
deleted file mode 100644
index a703aa349..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-1.k
+++ /dev/null
@@ -1,108 +0,0 @@
-module TRUSTED-PERFORM-ADD-PROPOSER-1
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            _PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            u(?_NumUsersFinal:Int),
-            ?_UserIdToAddressFinal:Map,
-            ?_AddressToUserIdFinal:Map,
-            u(?_NumBoardMembersFinal:Int),
-            u(?_NumProposersFinal:Int),
-            ?_UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack,
-            CallerAddress,
-            ?_PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool Quorum ==K NumBoardMembers
-    [trusted]
-
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-1
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            _PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            u(?_NumUsersFinal:Int),
-            ?_UserIdToAddressFinal:Map,
-            ?_AddressToUserIdFinal:Map,
-            u(?_NumBoardMembersFinal:Int),
-            u(?_NumProposersFinal:Int),
-            ?_UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ?_PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool Quorum ==K NumBoardMembers
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
deleted file mode 100644
index 338c3a005..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-3.k
+++ /dev/null
@@ -1,136 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-None.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-
-module TRUSTED-PERFORM-ADD-PROPOSER-3
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (Quorum ==K NumBoardMembers)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-3
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> BoardMember _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (Quorum ==K NumBoardMembers)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
deleted file mode 100644
index 4d1c14423..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-5.k
+++ /dev/null
@@ -1,136 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-None.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-
-module TRUSTED-PERFORM-ADD-PROPOSER-5
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerRole ==K BoardMember)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-5
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            (ProposerId |-> ProposerRole:KItem _:Map) #as UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerRole ==K BoardMember)
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
deleted file mode 100644
index e1ec6b9d6..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-7.k
+++ /dev/null
@@ -1,135 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-None.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-
-module TRUSTED-PERFORM-ADD-PROPOSER-7
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerId in_keys(UserIdToRole))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-7
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                ProposerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerId in_keys(UserIdToRole))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
deleted file mode 100644
index 1fc6e6afc..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-8.k
+++ /dev/null
@@ -1,134 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-None.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-
-module TRUSTED-PERFORM-ADD-PROPOSER-8
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerId in_keys(UserIdToRole))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-8
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(CallerAddress) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            (
-                CallerAddress |-> ProposerId:Usize
-                _:Map
-            ) #as AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerId in_keys(UserIdToRole))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k b/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
deleted file mode 100644
index b301ee389..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-add-proposer-9.k
+++ /dev/null
@@ -1,128 +0,0 @@
-require "../functions/functions-execute.k"
-
-require "../functions/trusted-change-user-role-New.k"
-require "../functions/trusted-change-user-role-None.k"
-require "../functions/trusted-change-user-role-BoardMember.k"
-require "../functions/trusted-change-user-role-Proposer.k"
-
-module TRUSTED-PERFORM-ADD-PROPOSER-9
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerAddress in_keys(AddressToUserId))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-ADD-PROPOSER-9
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-CHANGE-USER-ROLE-NEW
-  imports TRUSTED-CHANGE-USER-ROLE-NONE
-  imports TRUSTED-CHANGE-USER-ROLE-BOARDMEMBER
-  imports TRUSTED-CHANGE-USER-ROLE-PROPOSER
-
-  claim
-      <T>
-        performLhs(
-            AddProposer(ProposerAddress:Address) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            u(?NumUsersFinal:Int),
-            ?UserIdToAddressFinal:Map,
-            ?AddressToUserIdFinal:Map,
-            u(?NumBoardMembersFinal:Int),
-            u(?NumProposersFinal:Int),
-            ?UserIdToRoleFinal:Map,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-        andBool notBool (ProposerAddress in_keys(AddressToUserId))
-    ensures performEnsures(
-            u(?NumUsersFinal),
-            ?UserIdToAddressFinal,
-            ?AddressToUserIdFinal,
-            u(?NumBoardMembersFinal),
-            u(?NumProposersFinal),
-            ?UserIdToRoleFinal,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
deleted file mode 100644
index 8d667c3fc..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-change-quorum.k
+++ /dev/null
@@ -1,225 +0,0 @@
-module TRUSTED-PERFORM-CHANGE-QUORUM
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            OldQuorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            u(NewQuorum),
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-        andBool NewQuorum <=Int NumBoardMembers
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            u(NewQuorum))
-    [trusted]
-
-  claim
-      <T>
-        performLhs(
-            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            OldQuorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            _PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ?_PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-        andBool NewQuorum >Int NumBoardMembers
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-CHANGE-QUORUM
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            OldQuorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            u(NewQuorum),
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-        andBool NewQuorum <=Int NumBoardMembers
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            u(NewQuorum))
-
-  claim
-      <T>
-        performLhs(
-            ChangeQuorum(u(NewQuorum:Int)) #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            u(NumBoardMembers:Int),
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            OldQuorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            _PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            error,
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack:Stack,
-            CallerAddress,
-            ?_PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-        andBool NewQuorum >Int NumBoardMembers
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            u(NumBoardMembers),
-            NumProposers,
-            UserIdToRole,
-            OldQuorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k b/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
deleted file mode 100644
index 011e6646a..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-nothing.k
+++ /dev/null
@@ -1,114 +0,0 @@
-module TRUSTED-PERFORM-NOTHING
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            Nothing #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-    [trusted]
-endmodule
-
-module PROOF-PERFORM-NOTHING
-  imports INVARIANT-EXECUTION
-
-  claim
-      <T>
-        performLhs(
-            Nothing #as Action:Action,
-            K:K,
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserIdToRole:Map,
-            Quorum:Usize,
-            ActionState:ActionStateCell,
-            Stack:Stack,
-            CallerAddress:Address,
-            PerformedActions:List)
-      </T>
-      =>
-      <T>
-        performRhs(
-            evaluate(void),
-            K,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum,
-            ActionState,
-            ?_Variables:Map,
-            Stack,
-            CallerAddress,
-            ListItem(Action) PerformedActions:List)
-      </T>
-    requires performRequires(
-            Action,
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-    ensures performEnsures(
-            NumUsers,
-            UserIdToAddress,
-            AddressToUserId,
-            NumBoardMembers,
-            NumProposers,
-            UserIdToRole,
-            Quorum)
-endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-New.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-New.k
new file mode 100644
index 000000000..1e0855085
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-New.k
@@ -0,0 +1,61 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-NEW
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-NEW
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> new.k ~> call(performActionEndpoint(_ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> u(0)
+                caller_role |-> None,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool notBool CallerAddress in_keys(AddressToUserId)
+        andBool notBool u(0) in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-None.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-None.k
new file mode 100644
index 000000000..dd7a30431
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-None.k
@@ -0,0 +1,60 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-NONE
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> none.k ~> call(performActionEndpoint(_ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> UserId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              Quorum,
+              ActionLastIndex,
+              ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              caller_address |-> CallerAddress
+                caller_id |-> UserId
+                caller_role |-> None,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        andBool notBool UserId in_keys(UserIdToRole)
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember-eq.k
new file mode 100644
index 000000000..2e1370c3c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember-eq.k
@@ -0,0 +1,70 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-BoardMember-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-BoardMember-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember.k
new file mode 100644
index 000000000..93d24a935
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-boardmember.k
@@ -0,0 +1,73 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-BoardMember.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-new.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-new.k
new file mode 100644
index 000000000..9738d9932
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-new.k
@@ -0,0 +1,78 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NEW
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-New.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              NumProposers,
+              u(NumUsers +Int 1) |-> BoardMember UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // someting to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+
+        andBool notBool UserAddress in_keys(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-none.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-none.k
new file mode 100644
index 000000000..5e8a0f0f7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-none.k
@@ -0,0 +1,73 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NONE
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-None.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              NumProposers,
+              UserId |-> BoardMember UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool notBool UserId in_keys(UserIdToRole)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer-eq.k
new file mode 100644
index 000000000..540941279
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer-eq.k
@@ -0,0 +1,71 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-Proposer-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              u(NumProposers -Int 1),
+              CallerId |-> BoardMember
+                UserIdToRoleInner:Map,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer.k
new file mode 100644
index 000000000..37ab3d8ff
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-proposer.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-board-member-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-BOARD-MEMBER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-board-member-Proposer.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (UserId |-> Proposer
+                CallerId |-> Role:UserRole
+                UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddBoardMember(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers +Int 1),
+              u(NumProposers -Int 1),
+              UserId |-> BoardMember
+                CallerId |-> Role:UserRole
+                UserIdToRoleInner:Map,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
new file mode 100644
index 000000000..6cf75151e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
@@ -0,0 +1,107 @@
+//@ proof
+require "trusted-perform-parts-add-board-member-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-New.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-None.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-Proposer-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NEW
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NONE
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitPerformActionEndpoint4(AddBoardMember(_UserAddress:Address) #as Action:Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action ActionData0:Map) #as ActionData:Map,
+              ActionSigners0:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners0),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners0,
+            expand(expanded))
+        andBool CallerId in_keys(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners0[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-eq.k
new file mode 100644
index 000000000..68dd30159
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-BoardMember-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-BoardMember-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers +Int 1),
+              (CallerId |-> Proposer
+                  UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k
new file mode 100644
index 000000000..29415667d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-BoardMember-no-quorum-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum ==Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
+
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum.k
new file mode 100644
index 000000000..367f7de27
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember-no-quorum.k
@@ -0,0 +1,74 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-BoardMember-no-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum ==Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember.k
new file mode 100644
index 000000000..a6fc308c5
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-BoardMember.k
@@ -0,0 +1,76 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-BoardMember.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers +Int 1),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-New.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-New.k
new file mode 100644
index 000000000..feff47568
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-New.k
@@ -0,0 +1,79 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NEW
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-New.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers +Int 1),
+              u(NumUsers +Int 1) |-> Proposer UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // someting to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+        andBool Quorum <=Int NumBoardMembers
+
+        andBool notBool UserAddress in_keys(AddressToUserId)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-None.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-None.k
new file mode 100644
index 000000000..f5648b627
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-None.k
@@ -0,0 +1,74 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NONE
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-None.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers +Int 1),
+              UserId |-> Proposer UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool notBool UserId in_keys(UserIdToRole)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer-eq.k
new file mode 100644
index 000000000..f0807b109
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer-eq.k
@@ -0,0 +1,71 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-Proposer-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer.k
new file mode 100644
index 000000000..b5f9cd716
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-Proposer.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> add-proposer-Proposer.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> AddProposer(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
+
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k
new file mode 100644
index 000000000..85e5bf480
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k
@@ -0,0 +1,94 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-New.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-None.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NEW
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NONE
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER
+//@ end
+
+  claim <T><TT>
+          <k> action-splitted
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex0:Usize,
+              ActionData0:Map,
+              ActionSigners0:Map,
+              _PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserRoles1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers:Usize,
+            UserIdToAddress:Map,
+            AddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            Quorum:Usize,
+            ActionLastIndex0:Usize,
+            ActionData0:Map,
+            ActionSigners0:Map,
+            expand(expanded))
+        andBool ActionId in_keys(ActionData)
+        andBool isAddProposer({ActionData[ActionId]}:>Action)
+    ensures invariant(
+        ?NumUsers1:Usize,
+        ?UserIdToAddress1:Map,
+        ?AddressToUserId1:Map,
+        ?NumBoardMembers1:Usize,
+        ?NumProposers1:Usize,
+        ?UserRoles1:Map,
+        ?Quorum1:Usize,
+        ?ActionLastIndex1:Usize,
+        ?ActionData1:Map,
+        ?ActionSigners1:Map,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-no-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-no-quorum.k
new file mode 100644
index 000000000..95b23ca17
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-no-quorum.k
@@ -0,0 +1,71 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-change-quorum-no-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-CHANGE-QUORUM-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM-NO-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-CHANGE-QUORUM-NO-QUORUM
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> change-quorum-no-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(OldQuorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(OldQuorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NewQuorum >Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
new file mode 100644
index 000000000..284e8f945
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
@@ -0,0 +1,71 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-change-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-CHANGE-QUORUM
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> change-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(OldQuorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(NewQuorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NewQuorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-no-quorum.k
similarity index 71%
rename from multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k
rename to multisig/protocol-correctness/proof/invariant/proof-perform-parts-no-quorum.k
index 22ada218c..ba39c37a0 100644
--- a/multisig/protocol-correctness/proof/functions/proof-perform-action-endpoint-no-quorum-no-signers.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-no-quorum.k
@@ -1,15 +1,16 @@
 //@ proof
-require "trusted-perform-action-endpoint-fragment-no-quorum-no-signers.k"  //@ Bazel remove
+require "../functions/trusted-perform-action-endpoint-no-quorum.k"  //@ Bazel remove
 
-module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
-  imports TRUSTED-PERFORM-ACTION-ENDPOINT-FRAGMENT-NO-QUORUM-NO-SIGNERS
+module PROOF-PERFORM-PARTS-NO-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM
 //@ trusted
-// module TRUSTED-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
+// module TRUSTED-PERFORM-PARTS-NO-QUORUM
 //@ end
-  imports FUNCTIONS-EXECUTE
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
 
   claim <T><TT>
-          <k> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          <k> no-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
           invariantStateFull(
               NumUsers:Usize,
               UserIdToAddress:Map,
@@ -50,9 +51,10 @@ module PROOF-PERFORM-ACTION-ENDPOINT-NO-QUORUM-NO-SIGNERS
               )
         </TT></T>
     requires true
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool actionSignersInvariant(ActionSigners)
         andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool notBool ActionId in_keys(ActionSigners)
-        andBool Quorum >Int 0
+        andBool Quorum >Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures true
     //@ proof
     //@ trusted
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-nothing.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-nothing.k
new file mode 100644
index 000000000..e55c9c88e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-nothing.k
@@ -0,0 +1,69 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-nothing.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-NOTHING
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-NOTHING
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-NOTHING
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> nothing.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Nothing) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool notBool ActionId in_keys(ActionData)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-eq.k
new file mode 100644
index 000000000..992993fce
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-BoardMember-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-BoardMember-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers),
+              UserIdToRoleInner,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few-eq.k
new file mode 100644
index 000000000..af96105a1
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few-eq.k
@@ -0,0 +1,74 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-BoardMember-too-few-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-BoardMember-too-few-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool (false
+            orBool NumBoardMembers +Int NumProposers ==Int 1
+            orBool Quorum ==Int NumBoardMembers
+        )
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few.k
new file mode 100644
index 000000000..ec9d1268f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember-too-few.k
@@ -0,0 +1,77 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-BoardMember-too-few.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-BoardMember-too-few.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool (false
+            orBool NumBoardMembers +Int NumProposers ==Int 1
+            orBool Quorum ==Int NumBoardMembers
+        )
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember.k
new file mode 100644
index 000000000..068decb28
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-BoardMember.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-BoardMember.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-BOARDMEMBER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-BoardMember.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> BoardMember
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers -Int 1),
+              u(NumProposers),
+              (CallerId |-> Role UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+        andBool Quorum <=Int NumBoardMembers -Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-New.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-New.k
new file mode 100644
index 000000000..77e656621
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-New.k
@@ -0,0 +1,78 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-New.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-NEW
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NEW
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-NEW
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-New.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers:Int),
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              u(NumUsers +Int 1),
+              u(NumUsers +Int 1) |-> UserAddress UserIdToAddress,
+              UserAddress |-> u(NumUsers +Int 1) AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NumUsers >=Int 0
+        // TODO: Perhaps replace with unusedIdsInMapValues(AddressToUserId) +
+        // something to map values to keys.
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToAddress), expand(expanded))
+        andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), expand(expanded))
+        andBool NumBoardMembers +Int NumProposers >Int 0
+        andBool Quorum <=Int NumBoardMembers
+        andBool notBool (UserAddress in_keys(AddressToUserId))
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-None.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-None.k
new file mode 100644
index 000000000..a1fee781d
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-None.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-NONE
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-NONE
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-None.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers >Int 0
+        andBool notBool (UserId in_keys(UserIdToRole))
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-eq.k
new file mode 100644
index 000000000..3a9492f7c
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-Proposer-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers -Int 1),
+              UserIdToRoleInner,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left-eq.k
new file mode 100644
index 000000000..83df0126f
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left-eq.k
@@ -0,0 +1,72 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-Proposer-nobody-left-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-Proposer-nobody-left-eq.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(CallerAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers ==Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left.k
new file mode 100644
index 000000000..ab119b43a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer-nobody-left.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-Proposer-nobody-left.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-Proposer-nobody-left.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> error ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers),
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionId |-> Action ActionData,
+              ActionSigners,
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers ==Int 1
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer.k
new file mode 100644
index 000000000..23175db4b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-Proposer.k
@@ -0,0 +1,75 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-remove-user-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-PROPOSER
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-REMOVE-USER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> remove-user-Proposer.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              u(NumProposers:Int),
+              (CallerId |-> Role:UserRole
+                  UserId |-> Proposer
+                  UserIdToRoleInner:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> RemoveUser(UserAddress:Address) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              u(NumProposers -Int 1),
+              (CallerId |-> Role UserIdToRoleInner),
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool addressToUserIdInvariant(AddressToUserId)
+        andBool Quorum <=Int NumBoardMembers
+        andBool NumBoardMembers +Int NumProposers -Int 1 >Int 0
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-call.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-call.k
new file mode 100644
index 000000000..44166e104
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-call.k
@@ -0,0 +1,74 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-sc-call.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-SC-CALL
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-SC-CALL
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-SC-CALL
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> sc-call.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SCCall(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Function:BoxedBytes,
+                          _Arguments:ExpressionList) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-deploy.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-deploy.k
new file mode 100644
index 000000000..7c8ab2744
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-sc-deploy.k
@@ -0,0 +1,74 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-sc-deploy.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-SC-DEPLOY
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-SC-DEPLOY
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-SC-DEPLOY
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> sc-deploy.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SCDeploy(
+                          _Amount:BigUint,
+                          _Code:BoxedBytes,
+                          _CodeMetadata:CodeMetadata,
+                          _Arguments:ExpressionList) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-send-egld.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-send-egld.k
new file mode 100644
index 000000000..433bb0ad7
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-send-egld.k
@@ -0,0 +1,73 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-send-egld.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-SEND-EGLD
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-SEND-EGLD
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-SEND-EGLD
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> send-egld.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> SendEgld(
+                          _To:Address,
+                          _Amount:BigUint,
+                          _Data:BoxedBytes) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              NumBoardMembers,
+              NumProposers,
+              UserIdToRole,
+              u(Quorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule

From 9729ba7028f14cbb187293c47dbc20ae01c71bc6 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 20 Apr 2021 21:13:07 +0300
Subject: [PATCH 32/37] Fix add board member subproof

---
 multisig/kompile_tool/kore.sh                 | 11 ++--
 multisig/kompile_tool/kprove.sh               |  5 +-
 multisig/proof.bzl                            |  6 ++-
 .../proof/functions/BUILD                     | 47 +++++++++++++++++
 .../proof/invariant/invariant-execution.k     | 52 +++++++++++++++++--
 .../proof-perform-parts-add-board-member.k    |  9 ++--
 6 files changed, 112 insertions(+), 18 deletions(-)

diff --git a/multisig/kompile_tool/kore.sh b/multisig/kompile_tool/kore.sh
index 6ab22e3be..eab912a83 100755
--- a/multisig/kompile_tool/kore.sh
+++ b/multisig/kompile_tool/kore.sh
@@ -20,23 +20,26 @@ shift
 OUTPUT=$(realpath $1)
 shift
 
+BREADTH=$1
+shift
+
 MODULE_NAME=$(cat $COMMAND | sed 's/^.*--module \([^ ]*\) .*$/\1/')
 
 # SPEC_MODULE_NAME=$(cat $COMMAND | sed 's/^.*--spec-module \([^ ]*\) .*$/\1/')
 
 KOMPILE_TOOL_DIR=kompile_tool
 
-KORE_EXEC=$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-exec)
-KORE_REPL=$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-repl)
-
 REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
+KORE_EXEC="$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-exec) --breadth $BREADTH"
+KORE_REPL="$(realpath $KOMPILE_TOOL_DIR/k/bin/kore-repl) --repl-script $REPL_SCRIPT"
+
 BACKEND_COMMAND=$KORE_EXEC
 if [ $# -eq 0 ]; then
   BACKEND_COMMAND=$KORE_EXEC
 else
   if [ "$1" == "--debug" ]; then
-    BACKEND_COMMAND="$KORE_REPL --repl-script $REPL_SCRIPT"
+    BACKEND_COMMAND=$KORE_REPL
   else
     echo "Unknown argument: '$1'"
     exit 1
diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
index 5279aa4d5..471e21fd4 100755
--- a/multisig/kompile_tool/kprove.sh
+++ b/multisig/kompile_tool/kprove.sh
@@ -16,8 +16,8 @@ shift
 PROOF_FILE=$(realpath $1)
 shift
 
-#BREADTH=$1
-#shift
+BREADTH=$1
+shift
 
 MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
 
@@ -29,7 +29,6 @@ KOMPILE_TOOL_DIR=kompile_tool
 KPROVE=$(realpath $KOMPILE_TOOL_DIR/k/bin/kprove)
 REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
-#KORE_EXEC="kore-exec --breadth $BREADTH"
 KORE_EXEC="kore-exec --breadth $BREADTH"
 KORE_REPL="kore-repl --repl-script $REPL_SCRIPT"
 
diff --git a/multisig/proof.bzl b/multisig/proof.bzl
index 923cdc779..0784abedf 100644
--- a/multisig/proof.bzl
+++ b/multisig/proof.bzl
@@ -299,7 +299,7 @@ def _kore_test_impl(ctx):
 
   script_file = ctx.actions.declare_file(ctx.label.name + '-runner.sh')
 
-  tool_call = "kompile_tool/kore_tool %s %s %s %s %s %s" % (
+  tool_call = "kompile_tool/kore_tool %s %s %s %s %s %s %s" % (
       ctx.attr.module,
       ctx.attr.kompiled[KompileInfo].files[0].short_path,
       ctx.attr.kompiled[KproveInfo].definition.short_path,
@@ -344,6 +344,7 @@ kore_test = rule(
     attrs = {
         "kompiled": attr.label(providers=[KproveInfo], mandatory=True),
         "module": attr.string(mandatory=True),
+        "breadth": attr.string(mandatory=True),
         "kore_tool": attr.label(
             executable = True,
             cfg = "exec",
@@ -366,7 +367,7 @@ kore_test = rule(
     test = True,
 )
 
-def kprove_test(*, name, srcs, trusted=[], semantics, timeout="short"):
+def kprove_test(*, name, srcs, trusted=[], semantics, breadth="1", timeout="short"):
   kprove_kompile(
     name = "%s-kompile" % name,
     srcs = srcs,
@@ -377,6 +378,7 @@ def kprove_test(*, name, srcs, trusted=[], semantics, timeout="short"):
   kore_test(
     name = name,
     module = name.upper(),
+    breadth = breadth,
     kompiled = ":%s-kompile" % name,
     timeout = timeout,
   )
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 44a777802..2113a1e3a 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -373,6 +373,7 @@ kprove_test(
   name = "proof-perform-action-endpoint-fragment-New",
   srcs = ["proof-perform-action-endpoint-fragment-New.k"],
   semantics = ":functions-execute",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -387,6 +388,7 @@ kprove_test(
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "6",
 )
 
 kprove_test(
@@ -395,6 +397,7 @@ kprove_test(
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "6",
 )
 
 kprove_test(
@@ -403,6 +406,7 @@ kprove_test(
   trusted = [":trusted-perform-action-nothing"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -411,6 +415,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-BoardMember"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -419,6 +424,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-BoardMember-too-few"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -427,6 +433,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-Proposer-nobody-left"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -435,6 +442,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-Proposer"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -443,6 +451,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-None"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -451,6 +460,7 @@ kprove_test(
   trusted = [":trusted-perform-action-remove-user-New"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -458,6 +468,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-change-quorum.k"],
   trusted = [":trusted-perform-action-change-quorum"],
   semantics = ":functions-execute",
+  breadth = "3",
 )
 
 kprove_test(
@@ -465,6 +476,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-change-quorum-no-quorum.k"],
   trusted = [":trusted-perform-action-change-quorum-no-quorum"],
   semantics = ":functions-execute",
+  breadth = "3",
 )
 
 kprove_test(
@@ -473,6 +485,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-proposer-BoardMember-no-quorum"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -481,6 +494,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-proposer-BoardMember"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -489,6 +503,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-proposer-Proposer"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -497,6 +512,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-proposer-New"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "5",
 )
 
 kprove_test(
@@ -505,6 +521,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-proposer-None"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "5",
 )
 
 kprove_test(
@@ -513,6 +530,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-board-member-New"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -521,6 +539,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-board-member-BoardMember"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -529,6 +548,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-board-member-Proposer"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -537,6 +557,7 @@ kprove_test(
   trusted = [":trusted-perform-action-add-board-member-None"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -544,6 +565,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-send-egld.k"],
   trusted = [":trusted-perform-action-send-egld"],
   semantics = ":functions-execute",
+  breadth = "3",
 )
 
 kprove_test(
@@ -552,6 +574,7 @@ kprove_test(
   trusted = [":trusted-perform-action-sc-call"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -560,6 +583,7 @@ kprove_test(
   trusted = [":trusted-perform-action-sc-deploy"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -575,6 +599,7 @@ kprove_test(
   trusted = [":trusted-change-user-role-BoardMember"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -589,6 +614,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-Proposer.k"],
   trusted = [":trusted-change-user-role-Proposer"],
   semantics = ":functions-execute",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -711,6 +737,7 @@ kprove_test(
   srcs = ["proof-change-user-role-BoardMember.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -718,6 +745,7 @@ kprove_test(
   srcs = ["proof-change-user-role-New.k"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "3",
 )
 
 kprove_test(
@@ -725,6 +753,7 @@ kprove_test(
   srcs = ["proof-change-user-role-None.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -732,6 +761,7 @@ kprove_test(
   srcs = ["proof-change-user-role-Proposer.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -739,6 +769,7 @@ kprove_test(
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "3",
 )
 
 kprove_test(
@@ -747,6 +778,7 @@ kprove_test(
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -761,6 +793,7 @@ kprove_test(
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -769,6 +802,7 @@ kprove_test(
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -783,6 +817,7 @@ kprove_test(
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -791,6 +826,7 @@ kprove_test(
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -798,6 +834,7 @@ kprove_test(
   srcs = ["proof-propose-action-BoardMember.k"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "2",
 )
 
 kprove_test(
@@ -817,6 +854,7 @@ kprove_test(
   srcs = ["proof-propose-action-Proposer.k"],
   semantics = ":functions-execute",
   timeout = "long",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -828,6 +866,7 @@ kprove_test(
   ],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -854,6 +893,7 @@ kprove_test(
   name = "proof-propose-sc-deploy-fragment",
   srcs = ["proof-propose-sc-deploy-fragment.k"],
   semantics = ":functions-execute",
+  breadth = "6",
 )
 
 kprove_test(
@@ -865,6 +905,7 @@ kprove_test(
   ],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -872,12 +913,14 @@ kprove_test(
   srcs = ["proof-sign-caller-none.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
   name = "proof-sign-caller-not-user",
   srcs = ["proof-sign-caller-not-user.k"],
   semantics = ":functions-execute",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -885,6 +928,7 @@ kprove_test(
   srcs = ["proof-sign-caller-proposer.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -898,6 +942,7 @@ kprove_test(
   srcs = ["proof-sign-existing-signers-in-list.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -905,6 +950,7 @@ kprove_test(
   srcs = ["proof-sign-existing-signers-not-in-list.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
@@ -912,6 +958,7 @@ kprove_test(
   srcs = ["proof-sign-no-signers.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
+  breadth = "2", 
 )
 
 kprove_test(
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 9084487ea..9f84237ca 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -680,12 +680,27 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
   syntax KItem ::= splitPerformActionEndpoint2(actionId:Usize)
   syntax KItem ::= splitPerformActionEndpoint3(action:Action)
   syntax KItem ::= splitPerformActionEndpoint4(action:Action)
-
-  rule  preCall
-        ~> (.K => splitPerformActionEndpoint(ActionId))
-        ~> call(performActionEndpoint(ActionId:Usize))
+  syntax KItem ::= splitActionSigners(actionId:Usize, signers:Map)
+
+  rule  <k> preCall
+            ~> (.K => splitPerformActionEndpoint(ActionId))
+            ~> call(performActionEndpoint(ActionId:Usize))
+            ~> _:KItem
+            ~> _:KItem
+            ~> _:KItem
+            ~> (.K => splitActionSigners(ActionId, ActionSigners))
+            ~> runExternalCalls(_:ExternalCommands)
+        ...</k>
+        <action-signers>ActionSigners:Map</action-signers>
     [priority(20)]
 
+  rule  splitActionSigners(ActionId:Usize, ActionSigners:Map)
+        =>  branchK(
+                ActionId in_keys(ActionSigners),
+                makeConcreteValue(ActionId, rExpressionList, ActionSigners),
+                .K
+            )
+
   rule <k> splitPerformActionEndpoint(ActionId:Usize)
           =>  branchK(
                 CallerAddress in_keys(AddressToUserId),
@@ -831,9 +846,36 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
         <caller-address>CallerAddress:Address</caller-address>
     requires CallerId in_keys(UserIdToRole)
 
+  // TODO: Delete.
+  syntax KItem ::= makeConcreteValueTmp(key:KItem, valueType:ReflectionType, Map)
+  rule makeConcreteValueTmp(Key:KItem, ValueType:ReflectionType, M:Map)
+    =>    splitMapTmp(Key, M, ?_Value:KItem, ?_Remainder:Map)
+      // ~>  cast(M[Key], ValueType)
+      // ~>  removeValue
+      // ~>  concretizeValue(M[Key])
+    requires Key in_keys(M)
+
+  syntax KItem ::= splitMapTmp(key:KItem, toSplit:Map, value:KItem, remainder:Map)
+    [function, functional]
+
+  // rule splitMapTmp(Key:KItem, M:Map, _Value:KItem, _Remainder:Map) => stuck
+  //   requires notBool Key in_keys(M)
+  // rule splitMapTmp(Key:KItem, (Key |-> _:KItem) _:Map, _Value:KItem, _Remainder:Map)
+  //     => endSplitMap
+  //   [simplification(30)]
+  rule splitMapTmp(Key:KItem, (K1:KItem |-> _SomeValue:KItem) M:Map, Value:KItem, Remainder:Map)
+      => splitMapTmp(Key, M, Value, Remainder)
+    requires notBool (Key ==K K1) andBool Key in_keys(M)
+    [simplification(30)]
+  rule splitMapTmp(Key:KItem, M:Map, Value:KItem, Remainder:Map)
+      => endSplitMap
+    requires Key in_keys(M)
+    ensures M ==K (Key |-> Value Remainder)
+    [simplification(50)]
+
   rule  <k>
           splitAddBoardMember2(UserAddress:Address)
-          =>  makeConcreteValue(UserAddress, rUsize, AddressToUserId)
+          =>  makeConcreteValueTmp(UserAddress, rUsize, AddressToUserId)
               ~> branchK(
                 AddressToUserId[UserAddress] in_keys(UserIdToRole),
                 splitAddBoardMember3(UserAddress),
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
index 6cf75151e..67f569ba2 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
@@ -26,6 +26,7 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
               ~> popContext
               ~> evaluateReturnValue
               ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
               ~> runExternalCalls(EC:ExternalCommands)
           </k>
           invariantStateStack(
@@ -38,7 +39,7 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
               u(Quorum:Int),
               ActionLastIndex0:Usize,
               (ActionId |-> Action ActionData0:Map) #as ActionData:Map,
-              ActionSigners0:Map,
+              ActionSigners:Map,
               CallerAddress:Address,
               stack(
                   invariantMultisigState(
@@ -51,7 +52,7 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
                       u(Quorum),
                       ActionLastIndex0,
                       ActionData,
-                      ActionSigners0),
+                      ActionSigners),
                   .Map,
                   PerformedActions,
                   .stack),
@@ -84,10 +85,10 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
             u(Quorum),
             ActionLastIndex0,
             ActionData0,
-            ActionSigners0,
+            ActionSigners,
             expand(expanded))
         andBool CallerId in_keys(UserIdToRole)
-        andBool Quorum <=Int countCanSignFunction({ActionSigners0[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures invariant(
         ?NumUsers1,
         ?UserIdToAddress1,

From c28b5baed8b703d263c66c69c7e954662fce48b8 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 23 Apr 2021 11:04:40 +0300
Subject: [PATCH 33/37] Several perform action parts

---
 .../proof/execution-proof-helpers.k           | 102 ++---
 .../proof/execution-proof.k                   |  14 +
 .../protocol-correctness/proof/invariant.k    |   8 +-
 .../proof/invariant/BUILD                     | 347 +++++++++++++++++-
 .../proof/invariant/init-loop-parts.k         |   6 +-
 .../proof/invariant/invariant-execution.k     |  91 +++--
 .../proof/invariant/perform-parts.k           |   4 +-
 .../invariant/proof-perform-action-endpoint.k |  15 +-
 .../proof-perform-parts-add-board-member-eq.k | 100 +++++
 ...proof-perform-parts-add-board-member-neq.k | 102 +++++
 .../proof-perform-parts-add-board-member.k    |  16 +-
 ...perform-parts-add-proposer-no-signers-eq.k | 104 ++++++
 ...erform-parts-add-proposer-no-signers-neq.k | 109 ++++++
 ...of-perform-parts-add-proposer-no-signers.k | 106 ++++++
 ...of-perform-parts-add-proposer-signers-eq.k | 103 ++++++
 ...f-perform-parts-add-proposer-signers-neq.k | 108 ++++++
 ...proof-perform-parts-add-proposer-signers.k | 105 ++++++
 .../proof-perform-parts-add-proposer.k        |  94 -----
 .../proof/map/map-execute.k                   |   2 +
 19 files changed, 1308 insertions(+), 228 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-neq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-neq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-neq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers.k
 delete mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k

diff --git a/multisig/protocol-correctness/proof/execution-proof-helpers.k b/multisig/protocol-correctness/proof/execution-proof-helpers.k
index a979f8407..fef3cf23e 100644
--- a/multisig/protocol-correctness/proof/execution-proof-helpers.k
+++ b/multisig/protocol-correctness/proof/execution-proof-helpers.k
@@ -7,6 +7,7 @@ module EXECUTION-PROOF-HELPERS
 
   imports PSEUDOCODE
   imports MAP-EXECUTE
+  imports EXPLICIT-KITEM-INJECTION
 
   // Expand and PropertyHandling form a stupid trick used to control symbolic
   // function application.
@@ -365,7 +366,7 @@ module EXECUTION-PROOF-HELPERS
 
   syntax Map ::= keysMap(Map)  [function, functional]
   rule keysMap(.Map) => .Map
-  rule keysMap((K:KItem |-> _:KItem M:Map) #as _:Map) => K |-> 0 keysMap(M)
+  rule keysMap(K:KItem |-> _:KItem M:Map) => K |-> 0 keysMap(M)
     [simplification]
   rule X:KItem in_keys(keysMap(M:Map)) => X in_keys(M)
     [simplification]
@@ -377,60 +378,51 @@ module EXECUTION-PROOF-HELPERS
           #And #Ceil(@V)
     [anywhere, simplification(20)]
 
-  syntax Int ::= countMapValues(Map, KItem)  [function, functional, smtlib(countMapValues)]
+  syntax Int ::= countMapValues(Map, ExplicitKItem)  [function, functional, smtlib(countMapValues)]
   rule countMapValues(.Map, _) => 0
-  rule countMapValues(((_ |-> U) M:Map) #as _:Map, V:KItem) => countMapValues(M, V) +Int countValue(U, V)
+  rule countMapValues(((_ |-> U) M:Map) #as _:Map, V:ExplicitKItem) => countMapValues(M, V) +Int countValue(wrap(U), V)
     [simplification]
 
-  syntax Int ::= countValue(KItem, KItem) [function, functional, smtlib(countMapValue)]
-  rule countValue(V:KItem, V:KItem) => 1
-  rule countValue(_:KItem, _:KItem) => 0 [owise]
+  syntax Int ::= countValue(ExplicitKItem, ExplicitKItem) [function, functional, smtlib(countMapValue)]
+  rule countValue(V:ExplicitKItem, V:ExplicitKItem) => 1
+  rule countValue(_:ExplicitKItem, _:ExplicitKItem) => 0 [owise]
   //  requires notBool (V1 ==K V2)
 
-  rule 0 <=Int countValue(_:KItem, _:KItem) => true [simplification, smt-lemma]
-  rule countValue(_:KItem, _:KItem) >=Int 0 => true [simplification]
-  rule countValue(_:KItem, _:KItem) <=Int 1 => true [simplification, smt-lemma]
-
-  rule 0 <=Int countMapValues(_, _) => true  [simplification, smt-lemma]
-  rule countMapValues(_, _) >=Int 0 => true  [simplification]
-
-  rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
-
-  rule countMapValues(_, _) +Int X:Int <=Int 0 => false
-    requires X >Int 0
-    [simplification]
-  // TODO: Replace these with generic int rules.
-  rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int X:Int >=Int 0 => true
-    requires X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int X:Int >Int 0 => true
-    requires X >Int 0
-    [simplification]
-  rule countValue(_, _) +Int X:Int >=Int 0 => true
-    requires X >=Int 0
-    [simplification]
-  rule countValue(_, _) +Int X:Int >Int 0 => true
-    requires X >Int 0
-    [simplification]
-  /*
-  rule countMapValues(_, _) +Int 1 >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int 2 >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int 1 +Int countMapValues(_, _) >Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int countMapValues(_, _) +Int X:Int >Int 0
-      => true
-    requires X >Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int countValue(_, _) >=Int 0 => true  [simplification]
-  rule countMapValues(_, _) +Int countValue(_, _) +Int X:Int >=Int 0
-      => true
-    requires X >=Int 0
-    [simplification]
-  rule countMapValues(_, _) +Int countMapValues(_, _) +Int countValue(_, _) +Int 1 >Int 0
-      => true
-    [simplification]
-  */
+  rule 0 <=Int countValue(_:ExplicitKItem, _:ExplicitKItem) => true [simplification, smt-lemma]
+  // rule countValue(_:KItem, _:KItem) >=Int 0 => true [simplification]
+  rule countValue(_:ExplicitKItem, _:ExplicitKItem) <=Int 1 => true [simplification, smt-lemma]
+
+  rule 0 <=Int countMapValues(_:Map, _:ExplicitKItem) => true  [simplification, smt-lemma]
+  // rule countMapValues(_, _) >=Int 0 => true  [simplification]
+
+  // rule countMapValues(X, Y) >Int 0 => true requires notBool countMapValues(X, Y) ==Int 0 [simplification]
+
+  // rule countMapValues(_, _) +Int X:Int <=Int 0 => false
+  //   requires X >Int 0
+  //   [simplification]
+  // // TODO: Replace these with generic int rules.
+  // rule 0 <=Int countMapValues(A, B) +Int X:Int => countMapValues(A, B) +Int X >=Int 0
+  //   [simplification]
+  // rule countMapValues(_, _) +Int X:Int >=Int 0 => true
+  //   requires X >=Int 0
+  //   [simplification]
+  // rule countMapValues(_, _) +Int X:Int >Int 0 => true
+  //   requires X >Int 0
+  //   [simplification]
+  // rule countValue(_, _) +Int X:Int >=Int 0 => true
+  //   requires X >=Int 0
+  //   [simplification]
+  // rule countValue(_, _) +Int X:Int >Int 0 => true
+  //   requires X >Int 0
+  //   [simplification]
+
+  // rule Q:Int <=Int (countMapValues(_, _) #as Cmv:Int) +Int X:Int +Int Y:Int => true
+  //   requires Q:Int <=Int Cmv +Int X:Int andBool Y >=Int 0
+  //   [simplification]
+  // // TODO: Do I really need the rule below?
+  // rule countMapValues(_, _) +Int X:Int +Int Y:Int >=Int 0 => true
+  //   requires X >=Int 0 andBool Y >=Int 0
+  //   [simplification]
 
   // TODO: Proof for this.
   syntax Bool ::= canSignFunction(UserRole)  [function, functional]
@@ -480,3 +472,13 @@ module EXECUTION-PROOF-HELPERS
   rule 0 <=Int countCanSignFunction(_, _) => true  [simplification, smt-lemma]
 
 endmodule
+
+module EXPLICIT-KITEM-INJECTION
+  imports PSEUDOCODE
+
+  // The Haskell backend does not send sort injections to the SMT solver.
+  // However, sometimes, in predicates one needs to use KItems that should be
+  // sent to the SMT solver. ExplicitKItem allows us to do that.
+  syntax ExplicitKItem ::= wrap(KItem)
+
+endmodule
diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index cbc3a8efc..8eff4d013 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -91,6 +91,13 @@ module CONCRETIZE-INSTRUMENTATION
   rule lazyConcretizeValues(M:Map) => concretized(concretizeValues(M, vars(?_, vars(?_, .IntVarList))))
 
   // TODO: Rename this.
+  // TODO: If I know the number of concretized elements alreadyin the map, and I usually do,
+  // I can do this instead of splitMap:
+  // syntax KItem ::= makeConcreteValue2(key:KItem, key2:KItem, Map)
+  // rule makeConcreteValue2(Key:KItem, Key2:KItem, Key2 |-> _:KItem M:Map)
+  //     => .K
+  //   requires Key in_keys(M) andBool notBool (Key ==K Key2)
+  //   ensures M ==K Key |-> ?_Value:KItem ?Remainder:Map andBool notBool Key in_keys(?Remainder)
   syntax KItem ::= makeConcreteValue(key:KItem, valueType:ReflectionType, Map)
   rule makeConcreteValue(Key:KItem, ValueType:ReflectionType, M:Map)
     =>    splitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
@@ -99,6 +106,13 @@ module CONCRETIZE-INSTRUMENTATION
       ~>  concretizeValue(M[Key])
     requires Key in_keys(M)
 
+  syntax KItem ::= concretizeCastInKeys(key:KItem, valueType:ReflectionType, Map)
+  rule concretizeCastInKeys(Key:KItem, ValueType:ReflectionType, M:Map)
+    =>    splitMap(Key, M, ?_Value:KItem, ?_Remainder:Map)
+      ~>  cast(M[Key], ValueType)
+      ~>  removeValue
+    requires Key in_keys(M)
+
   syntax KItem ::= makeConcrete(value:KItem, valueType:ReflectionType)
   rule makeConcrete(Value:KItem, ValueType:ReflectionType)
     =>    cast(Value, ValueType)
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 169339ae6..8b319638e 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -321,8 +321,8 @@ module INVARIANT
       andBool Quorum <=Int NumBoardMembers
       andBool (NumBoardMembers +Int NumProposers >Int 0)
 
-      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
-      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, wrap(BoardMember))
+      andBool NumProposers ==Int countMapValues(UserIdToRole, wrap(Proposer))
 
   // TODO: Maybe move somewhere else.
   rule valuesAreOfType(M:Map, rUsize) => true
@@ -412,8 +412,8 @@ module INVARIANT
       andBool Quorum <=Int NumBoardMembers
       andBool (NumBoardMembers +Int NumProposers >Int 0)
 
-      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
-      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, wrap(BoardMember))
+      andBool NumProposers ==Int countMapValues(UserIdToRole, wrap(Proposer))
 
   syntax Bool ::= subset(Map, Map)  [function, functional]
   rule subset(K:KItem |-> _:KItem M:Map, N:Map)
diff --git a/multisig/protocol-correctness/proof/invariant/BUILD b/multisig/protocol-correctness/proof/invariant/BUILD
index 09a30eb60..004de6487 100644
--- a/multisig/protocol-correctness/proof/invariant/BUILD
+++ b/multisig/protocol-correctness/proof/invariant/BUILD
@@ -59,13 +59,46 @@ klibrary(
 #   semantics = ":invariant-execution",
 # )
 
-# kprove_test(
-#   name = "proof-perform-action-endpoint",
-#   srcs = ["proof-perform-action-endpoint.k"],
-#   trusted = [
-#   ],
-#   semantics = ":invariant-execution",
-# )
+kprove_test(
+  name = "proof-perform-action-endpoint",
+  srcs = ["proof-perform-action-endpoint.k"],
+  trusted = [
+      ":trusted-perform-parts-add-board-member",
+      # ":trusted-perform-parts-add-proposer",
+      # ":trusted-perform-parts-change-quorum",
+      # ":trusted-perform-parts-change-quorum-no-quorum",
+      # ":trusted-perform-parts-New",
+      # ":trusted-perform-parts-no-quorum",
+      # ":trusted-perform-parts-None",
+      # ":trusted-perform-parts-Nothing",
+      # ":trusted-perform-parts-remove-user",
+      # ":trusted-perform-parts-sc-call",
+      # ":trusted-perform-parts-sc-deploy",
+      # ":trusted-perform-parts-send-egld",
+  ],
+  semantics = ":invariant-execution",
+)
+
+kprove_test(
+  name = "proof-perform-parts-1",
+  srcs = ["proof-perform-parts-1.k"],
+  trusted = [
+      ":trusted-perform-parts-add-board-member",
+      ":trusted-perform-parts-add-proposer-signers",
+      ":trusted-perform-parts-add-proposer-no-signers",
+      ":trusted-perform-parts-change-quorum",
+      ":trusted-perform-parts-change-quorum-no-quorum",
+      ":trusted-perform-parts-New",
+      ":trusted-perform-parts-no-quorum",
+      ":trusted-perform-parts-None",
+      # ":trusted-perform-parts-Nothing",
+      ":trusted-perform-parts-remove-user",
+      ":trusted-perform-parts-sc-call",
+      ":trusted-perform-parts-sc-deploy",
+      ":trusted-perform-parts-send-egld",
+  ],
+  semantics = ":invariant-execution",
+)
 
 kprove_test(
   name = "proof-perform-parts-change-quorum",
@@ -152,30 +185,147 @@ kprove_test(
   name = "proof-perform-parts-add-board-member",
   srcs = ["proof-perform-parts-add-board-member.k"],
   trusted = [
-      ":trusted-perform-parts-add-board-member-boardmember-eq",
-      ":trusted-perform-parts-add-board-member-boardmember",
+      "trusted-perform-parts-add-board-member-eq",
+      "trusted-perform-parts-add-board-member-neq",
       ":trusted-perform-parts-add-board-member-new",
       ":trusted-perform-parts-add-board-member-none",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "9", # 0
+  # 57 states
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-eq",
+  srcs = ["proof-perform-parts-add-board-member-eq.k"],
+  trusted = [
+      ":trusted-perform-parts-add-board-member-boardmember-eq",
       ":trusted-perform-parts-add-board-member-proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "long",
+  breadth = "6", # 0 
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-board-member-neq",
+  srcs = ["proof-perform-parts-add-board-member-neq.k"],
+  trusted = [
+      ":trusted-perform-parts-add-board-member-boardmember",
       ":trusted-perform-parts-add-board-member-proposer",
   ],
   semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "7", # 0 
+  # depth = ~27
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-signers",
+  srcs = ["proof-perform-parts-add-proposer-signers.k"],
+  trusted = [
+      ":trusted-perform-parts-add-proposer-signers-eq",
+      ":trusted-perform-parts-add-proposer-signers-neq",
+      ":trusted-perform-parts-add-proposer-New",
+      ":trusted-perform-parts-add-proposer-None",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "5",
+  # depth = ~25
 )
 
 kprove_test(
-  name = "proof-perform-parts-add-proposer",
-  srcs = ["proof-perform-parts-add-proposer.k"],
+  name = "proof-perform-parts-add-proposer-signers-eq",
+  srcs = ["proof-perform-parts-add-proposer-signers-eq.k"],
   trusted = [
       ":trusted-perform-parts-add-proposer-BoardMember-eq",
       ":trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq",
+      ":trusted-perform-parts-add-proposer-Proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "3",
+  # depth = ~32
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-signers-neq",
+  srcs = ["proof-perform-parts-add-proposer-signers-neq.k"],
+  trusted = [
       ":trusted-perform-parts-add-proposer-BoardMember-no-quorum",
       ":trusted-perform-parts-add-proposer-BoardMember",
+      ":trusted-perform-parts-add-proposer-Proposer",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "4",
+  # depth = ~35
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-no-signers",
+  srcs = ["proof-perform-parts-add-proposer-no-signers.k"],
+  trusted = [
+      ":trusted-perform-parts-add-proposer-no-signers-eq",
+      ":trusted-perform-parts-add-proposer-no-signers-neq",
       ":trusted-perform-parts-add-proposer-New",
       ":trusted-perform-parts-add-proposer-None",
+  ],
+  timeout = "eternal",
+  semantics = ":invariant-execution",
+  breadth = "5",
+  # depth = ~25
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-no-signers-eq",
+  srcs = ["proof-perform-parts-add-proposer-no-signers-eq.k"],
+  trusted = [
+      ":trusted-perform-parts-add-proposer-BoardMember-eq",
+      ":trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq",
       ":trusted-perform-parts-add-proposer-Proposer-eq",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "2",
+  # depth = ~22
+)
+
+kprove_test(
+  name = "proof-perform-parts-add-proposer-no-signers-neq",
+  srcs = ["proof-perform-parts-add-proposer-no-signers-neq.k"],
+  trusted = [
+      ":trusted-perform-parts-add-proposer-BoardMember-no-quorum",
+      ":trusted-perform-parts-add-proposer-BoardMember",
       ":trusted-perform-parts-add-proposer-Proposer",
   ],
   semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "3",
+  # depth = ~23
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user",
+  srcs = ["proof-perform-parts-remove-user.k"],
+  trusted = [
+      ":trusted-perform-parts-remove-user-BoardMember-eq",
+      ":trusted-perform-parts-remove-user-BoardMember-too-few-eq",
+      ":trusted-perform-parts-remove-user-BoardMember",
+      ":trusted-perform-parts-remove-user-BoardMember-too-few",
+      ":trusted-perform-parts-remove-user-New",
+      ":trusted-perform-parts-remove-user-None",
+      ":trusted-perform-parts-remove-user-Proposer-eq",
+      ":trusted-perform-parts-remove-user-Proposer-nobody-left-eq",
+      ":trusted-perform-parts-remove-user-Proposer",
+      ":trusted-perform-parts-remove-user-Proposer-nobody-left",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "5",
+  # depth = ~25
 )
 
 kprove_test(
@@ -477,3 +627,178 @@ ktrusted(
   srcs = ["proof-perform-parts-add-proposer-Proposer.k"],
   visibility = ["//visibility:public"],
 )
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-eq",
+  srcs = ["proof-perform-parts-add-board-member-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member-neq",
+  srcs = ["proof-perform-parts-add-board-member-neq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-board-member",
+  srcs = ["proof-perform-parts-add-board-member.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-signers-eq",
+  srcs = ["proof-perform-parts-add-proposer-signers-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-signers-neq",
+  srcs = ["proof-perform-parts-add-proposer-signers-neq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-signers",
+  srcs = ["proof-perform-parts-add-proposer-signers.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-no-signers-eq",
+  srcs = ["proof-perform-parts-add-proposer-no-signers-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-no-signers-neq",
+  srcs = ["proof-perform-parts-add-proposer-no-signers-neq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-add-proposer-no-signers",
+  srcs = ["proof-perform-parts-add-proposer-no-signers.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-BoardMember-eq",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-BoardMember-too-few-eq",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-too-few-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-BoardMember",
+  srcs = ["proof-perform-parts-remove-user-BoardMember.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-BoardMember-too-few",
+  srcs = ["proof-perform-parts-remove-user-BoardMember-too-few.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-New",
+  srcs = ["proof-perform-parts-remove-user-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-None",
+  srcs = ["proof-perform-parts-remove-user-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-Proposer-eq",
+  srcs = ["proof-perform-parts-remove-user-Proposer-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-Proposer-nobody-left-eq",
+  srcs = ["proof-perform-parts-remove-user-Proposer-nobody-left-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-Proposer",
+  srcs = ["proof-perform-parts-remove-user-Proposer.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-Proposer-nobody-left",
+  srcs = ["proof-perform-parts-remove-user-Proposer-nobody-left.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-change-quorum",
+  srcs = ["proof-perform-parts-change-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-change-quorum-no-quorum",
+  srcs = ["proof-perform-parts-change-quorum-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-New",
+  srcs = ["proof-perform-parts-New.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-no-quorum",
+  srcs = ["proof-perform-parts-no-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-None",
+  srcs = ["proof-perform-parts-None.k"],
+  visibility = ["//visibility:public"],
+)
+
+# ktrusted(
+#   name = "trusted-perform-parts-Nothing",
+#   srcs = ["proof-perform-parts-Nothing.k"],
+#   visibility = ["//visibility:public"],
+# )
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user",
+  srcs = ["proof-perform-parts-remove-user.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-sc-call",
+  srcs = ["proof-perform-parts-sc-call.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-sc-deploy",
+  srcs = ["proof-perform-parts-sc-deploy.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-send-egld",
+  srcs = ["proof-perform-parts-send-egld.k"],
+  visibility = ["//visibility:public"],
+)
+
diff --git a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
index 91e59497d..f847913f3 100644
--- a/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/init-loop-parts.k
@@ -194,8 +194,8 @@ module INIT-LOOP-PARTS
                   UserIdToRole,
                   usesExpanded)
       andBool pListLen(Addresses)
-                  +Int countMapValues(UserIdToRole0, BoardMember)
-              ==Int countMapValues(UserIdToRole, BoardMember)
+                  +Int countMapValues(UserIdToRole0, wrap(BoardMember))
+              ==Int countMapValues(UserIdToRole, wrap(BoardMember))
 
   syntax Bool ::= initLoopInvariant(
       numUsers:Usize,
@@ -233,5 +233,5 @@ module INIT-LOOP-PARTS
       // andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
       andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
 
-      andBool 0 ==Int countMapValues(UserIdToRole, Proposer)
+      andBool 0 ==Int countMapValues(UserIdToRole, wrap(Proposer))
 endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/invariant-execution.k b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
index 9f84237ca..5a48ef98b 100644
--- a/multisig/protocol-correctness/proof/invariant/invariant-execution.k
+++ b/multisig/protocol-correctness/proof/invariant/invariant-execution.k
@@ -677,6 +677,7 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
 
   syntax KItem ::= splitPerformActionEndpoint(actionId:Usize)
   syntax KItem ::= splitPerformActionEndpoint1(actionId:Usize)
+  syntax KItem ::= splitPerformActionEndpoint1a(actionId:Usize)
   syntax KItem ::= splitPerformActionEndpoint2(actionId:Usize)
   syntax KItem ::= splitPerformActionEndpoint3(action:Action)
   syntax KItem ::= splitPerformActionEndpoint4(action:Action)
@@ -715,26 +716,40 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
           =>  makeConcreteValue(CallerAddress, rUsize, AddressToUserId)
               ~>  branchK(
                     AddressToUserId[CallerAddress] in_keys(UserIdToRole),
-                    branchK(
-                      Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole)),
-                      branchK(
-                        ActionId in_keys(ActionData),
-                        splitPerformActionEndpoint2(ActionId),
-                        nothing.k
-                      ),
-                      no-quorum.k
-                    ),
+                    makeConcreteValue(AddressToUserId[CallerAddress], rUserRole, UserIdToRole)
+                      ~>  branchK(
+                            ActionId in_keys(ActionSigners),
+                            makeConcreteValue(ActionId, rExpressionList, ActionSigners)
+                              ~> splitPerformActionEndpoint1a(ActionId),
+                            splitPerformActionEndpoint1a(ActionId)
+                          ),
                     none.k
                   )
         ... </k>
         <address-to-user-id>AddressToUserId:Map</address-to-user-id>
-        <quorum>u(Quorum:Int)</quorum>
         <user-roles> UserIdToRole:Map </user-roles>
         <caller-address>CallerAddress:Address</caller-address>
         <action-signers>ActionSigners:Map</action-signers>
-        <action-data>ActionData:Map</action-data>
     requires CallerAddress in_keys(AddressToUserId)
 
+  rule <k> splitPerformActionEndpoint1a(ActionId:Usize)
+          =>  branchK(
+                  Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole)),
+                  branchK(
+                      ActionId in_keys(ActionData),
+                      splitPerformActionEndpoint2(ActionId),
+                      nothing.k
+                  ),
+                  no-quorum.k
+              )
+        ... </k>
+        <address-to-user-id>CallerAddress |-> UserId:KItem _AddressToUserId:Map</address-to-user-id>
+        <caller-address>CallerAddress:Address</caller-address>
+        <quorum>u(Quorum:Int)</quorum>
+        <user-roles>(UserId |-> _Role _UserIdToRole:Map) #as UserIdToRole:Map</user-roles>
+        <action-signers>ActionSigners:Map</action-signers>
+        <action-data>ActionData:Map</action-data>
+
   syntax Bool ::= isAddBoardMember(Action)  [function, functional]
   rule isAddBoardMember(AddBoardMember(_)) => true
   rule isAddBoardMember(_) => false [owise]
@@ -766,7 +781,7 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
   rule  <k> splitPerformActionEndpoint2(ActionId)
           =>  makeConcreteValue(ActionId, rAction, ActionData)
               ~> splitPerformActionEndpoint3({ActionData[ActionId]}:>Action)
-        </k>
+        ...</k>
         <action-data>ActionData:Map</action-data>
     requires ActionId in_keys(ActionData)
 
@@ -846,36 +861,9 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
         <caller-address>CallerAddress:Address</caller-address>
     requires CallerId in_keys(UserIdToRole)
 
-  // TODO: Delete.
-  syntax KItem ::= makeConcreteValueTmp(key:KItem, valueType:ReflectionType, Map)
-  rule makeConcreteValueTmp(Key:KItem, ValueType:ReflectionType, M:Map)
-    =>    splitMapTmp(Key, M, ?_Value:KItem, ?_Remainder:Map)
-      // ~>  cast(M[Key], ValueType)
-      // ~>  removeValue
-      // ~>  concretizeValue(M[Key])
-    requires Key in_keys(M)
-
-  syntax KItem ::= splitMapTmp(key:KItem, toSplit:Map, value:KItem, remainder:Map)
-    [function, functional]
-
-  // rule splitMapTmp(Key:KItem, M:Map, _Value:KItem, _Remainder:Map) => stuck
-  //   requires notBool Key in_keys(M)
-  // rule splitMapTmp(Key:KItem, (Key |-> _:KItem) _:Map, _Value:KItem, _Remainder:Map)
-  //     => endSplitMap
-  //   [simplification(30)]
-  rule splitMapTmp(Key:KItem, (K1:KItem |-> _SomeValue:KItem) M:Map, Value:KItem, Remainder:Map)
-      => splitMapTmp(Key, M, Value, Remainder)
-    requires notBool (Key ==K K1) andBool Key in_keys(M)
-    [simplification(30)]
-  rule splitMapTmp(Key:KItem, M:Map, Value:KItem, Remainder:Map)
-      => endSplitMap
-    requires Key in_keys(M)
-    ensures M ==K (Key |-> Value Remainder)
-    [simplification(50)]
-
   rule  <k>
           splitAddBoardMember2(UserAddress:Address)
-          =>  makeConcreteValueTmp(UserAddress, rUsize, AddressToUserId)
+          =>  makeConcreteValue(UserAddress, rUsize, AddressToUserId)
               ~> branchK(
                 AddressToUserId[UserAddress] in_keys(UserIdToRole),
                 splitAddBoardMember3(UserAddress),
@@ -900,13 +888,14 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
               )
         ...</k>
         <user-roles>UserIdToRole:Map</user-roles>
-        <address-to-user-id>UserAddress |-> UserId:Usize _AddressToUserId:Map</address-to-user-id>
+        <address-to-user-id>UserAddress |-> UserId _AddressToUserId:Map</address-to-user-id>
     requires UserId in_keys(UserIdToRole)
 
   syntax KItem ::= splitAddProposer(Action)
   syntax KItem ::= splitAddProposer1(Address)
   syntax KItem ::= splitAddProposer2(Address)
   syntax KItem ::= splitAddProposer3(Address)
+
   rule  <k>
           splitAddProposer(AddProposer(UserAddress:Address))
           =>  branchK(
@@ -928,9 +917,13 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
               ~>  branchK(
                     UserIdToRole[CallerId] ==K BoardMember,
                     branchK(
-                      Quorum <=Int NumBoardMembers -Int 1,
-                      add-proposer-BoardMember-eq.k,
-                      add-proposer-BoardMember-no-quorum-eq.k
+                      Quorum ==K NumBoardMembers,
+                      add-proposer-BoardMember-no-quorum-eq.k,
+                      branchK(
+                        Quorum <=Int NumBoardMembers -Int 1,
+                        add-proposer-BoardMember-eq.k,
+                        stuck
+                      )
                     ),
                     branchK(
                       UserIdToRole[CallerId] ==K Proposer,
@@ -965,7 +958,7 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
               ~>  branchK(
                     UserIdToRole[UserId] ==K BoardMember,
                     branchK(
-                      Quorum ==Int NumBoardMembers,
+                      Quorum ==K NumBoardMembers,
                       add-proposer-BoardMember-no-quorum.k,
                       add-proposer-BoardMember.k
                     ),
@@ -1022,15 +1015,15 @@ module PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
                     branchK(
                       NumBoardMembers +Int NumProposers ==Int 1
                           orBool Quorum ==Int NumBoardMembers,
-                      remove-user-Proposer-nobody-left-eq.k,
-                      remove-user-Proposer-eq.k
+                      remove-user-BoardMember-too-few-eq.k,
+                      remove-user-BoardMember-eq.k
                     ),
                     branchK(
                       UserIdToRole[CallerId] ==K Proposer,
                       branchK(
                         NumBoardMembers +Int NumProposers ==Int 1,
-                        remove-user-BoardMember-too-few-eq.k,
-                        remove-user-BoardMember-eq.k
+                        remove-user-Proposer-nobody-left-eq.k,
+                        remove-user-Proposer-eq.k
                       ),
                       stuck
                     )
diff --git a/multisig/protocol-correctness/proof/invariant/perform-parts.k b/multisig/protocol-correctness/proof/invariant/perform-parts.k
index 7882d701a..e122777e8 100644
--- a/multisig/protocol-correctness/proof/invariant/perform-parts.k
+++ b/multisig/protocol-correctness/proof/invariant/perform-parts.k
@@ -210,8 +210,8 @@ module PERFORM-PARTS
       andBool Quorum <=Int NumBoardMembers
       andBool (NumBoardMembers +Int NumProposers >Int 0)
 
-      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, BoardMember)
-      andBool NumProposers ==Int countMapValues(UserIdToRole, Proposer)
+      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, wrap(BoardMember))
+      andBool NumProposers ==Int countMapValues(UserIdToRole, wrap(Proposer))
   rule performLhs(
           Action:Action,
           K:K,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
index a1ef9d5e5..51fc333a3 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
@@ -1,12 +1,13 @@
-require "proof-count-can-sign.k"
-require "proof-perform-action.k"
+//@ proof
+require "trusted-perform-parts-add-board-member.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ENDPOINT
   imports INVARIANT-EXECUTION
-  imports PSEUDOCODE
 
-  imports TRUSTED-COUNT-CAN-SIGN
-  imports TRUSTED-PERFORM-ACTION
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER
+//@ trusted
+// module TRUSTED-PERFORM-ACTION-ENDPOINT
+//@ end
 
   claim <T><TT>
           <k> runExternalCalls(
@@ -101,5 +102,9 @@ module PROOF-PERFORM-ACTION-ENDPOINT
               ActionSigners:Map,
               ?_PerformedActions:List):StateCell
         </TT></T>
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 
 endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-eq.k
new file mode 100644
index 000000000..4832f7295
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-eq.k
@@ -0,0 +1,100 @@
+//@ proof
+require "trusted-perform-parts-add-board-member-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-EQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-EQ
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddBoardMember1(CallerAddress:Address)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddBoardMember(CallerAddress) ActionData0:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-neq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-neq.k
new file mode 100644
index 000000000..d52ce8977
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member-neq.k
@@ -0,0 +1,102 @@
+//@ proof
+require "trusted-perform-parts-add-board-member-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER-NEQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NEQ
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddBoardMember3(UserAddress:Address)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize UserAddress |-> u(UserId:Int) _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddBoardMember(UserAddress) ActionData0:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool UserAddress ==K CallerAddress
+        andBool u(UserId) in_keys(UserIdToRole)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
index 67f569ba2..b5dbdf9df 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-board-member.k
@@ -1,20 +1,16 @@
 //@ proof
-require "trusted-perform-parts-add-board-member-BoardMember-eq.k"  //@ Bazel remove
-require "trusted-perform-parts-add-board-member-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-board-member-neq.k"  //@ Bazel remove
 require "trusted-perform-parts-add-board-member-New.k"  //@ Bazel remove
 require "trusted-perform-parts-add-board-member-None.k"  //@ Bazel remove
-require "trusted-perform-parts-add-board-member-Proposer-eq.k"  //@ Bazel remove
-require "trusted-perform-parts-add-board-member-Proposer.k"  //@ Bazel remove
 
 module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
 
-  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER-EQ
-  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NEQ
   imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NEW
   imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-NONE
-  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER-EQ
-  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER-PROPOSER
 //@ trusted
 // module TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER
 //@ end
@@ -35,7 +31,7 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
               (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
               NumBoardMembers:Usize,
               NumProposers:Usize,
-              UserIdToRole:Map,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
               u(Quorum:Int),
               ActionLastIndex0:Usize,
               (ActionId |-> Action ActionData0:Map) #as ActionData:Map,
@@ -87,7 +83,7 @@ module PROOF-PERFORM-PARTS-ADD-BOARD-MEMBER
             ActionData0,
             ActionSigners,
             expand(expanded))
-        andBool CallerId in_keys(UserIdToRole)
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
         andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
     ensures invariant(
         ?NumUsers1,
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-eq.k
new file mode 100644
index 000000000..23c800a4a
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-eq.k
@@ -0,0 +1,104 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-EQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer1(CallerAddress)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddProposer(CallerAddress) ActionData0:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool ActionId in_keys(ActionSigners)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-neq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-neq.k
new file mode 100644
index 000000000..1fab31c64
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers-neq.k
@@ -0,0 +1,109 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-NEQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-NEQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer3(UserAddress)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddProposer(UserAddress) ActionData0:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool UserAddress ==K CallerAddress
+        andBool UserId in_keys(UserIdToRole)
+        andBool notBool ActionId in_keys(ActionSigners)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers.k
new file mode 100644
index 000000000..2f7453940
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-no-signers.k
@@ -0,0 +1,106 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-no-signers-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-no-signers-neq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-New.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS-NEQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NEW
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer(AddProposer(_UserAddress:Address) #as Action:Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action ActionData0:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool ActionId in_keys(ActionSigners)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-eq.k
new file mode 100644
index 000000000..75cd8639e
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-eq.k
@@ -0,0 +1,103 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-EQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-EQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer1(CallerAddress)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddProposer(CallerAddress) ActionData0:Map) #as ActionData:Map,
+              (ActionId |-> _Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-neq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-neq.k
new file mode 100644
index 000000000..96efd7333
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers-neq.k
@@ -0,0 +1,108 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-Proposer.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-NEQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-NEQ
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer3(UserAddress)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> UserId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> AddProposer(UserAddress) ActionData0:Map) #as ActionData:Map,
+              (ActionId |-> _Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool UserAddress ==K CallerAddress
+        andBool UserId in_keys(UserIdToRole)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers.k
new file mode 100644
index 000000000..3e100a9c0
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer-signers.k
@@ -0,0 +1,105 @@
+//@ proof
+require "trusted-perform-parts-add-proposer-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-neq.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-New.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-ADD-PROPOSER-SIGNERS
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-EQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS-NEQ
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NEW
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAddProposer(AddProposer(_UserAddress:Address) #as Action:Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action ActionData0:Map) #as ActionData:Map,
+              (ActionId |-> _Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData0,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k
deleted file mode 100644
index 85e5bf480..000000000
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-add-proposer.k
+++ /dev/null
@@ -1,94 +0,0 @@
-//@ proof
-require "trusted-perform-parts-add-proposer-BoardMember-eq.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-BoardMember-no-quorum-eq.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-BoardMember-no-quorum.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-BoardMember.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-New.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-None.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-Proposer-eq.k"  //@ Bazel remove
-require "trusted-perform-parts-add-proposer-Proposer.k"  //@ Bazel remove
-
-module PROOF-PERFORM-PARTS-ADD-PROPOSER
-  imports INVARIANT-EXECUTION
-
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-EQ
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM-EQ
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER-NO-QUORUM
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-BOARDMEMBER
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NEW
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NONE
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER-EQ
-  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-PROPOSER
-//@ trusted
-// module TRUSTED-PERFORM-PARTS-ADD-PROPOSER
-//@ end
-
-  claim <T><TT>
-          <k> action-splitted
-              ~> call(performActionEndpoint(ActionId:Usize))
-              ~> popContext
-              ~> evaluateReturnValue
-              ~> clearExternalCallEnv
-              ~> runExternalCalls(EC:ExternalCommands)
-          </k>
-          invariantState(
-              NumUsers:Usize,
-              UserIdToAddress:Map,
-              AddressToUserId:Map,
-              NumBoardMembers:Usize,
-              NumProposers:Usize,
-              UserRoles:Map,
-              Quorum:Usize,
-              ActionLastIndex0:Usize,
-              ActionData0:Map,
-              ActionSigners0:Map,
-              _PerformedActions:List)
-        </TT></T>
-      =>
-        <T><TT>
-          <k> runExternalCalls(EC) </k>
-          invariantState(
-              ?NumUsers1:Usize,
-              ?UserIdToAddress1:Map,
-              ?AddressToUserId1:Map,
-              ?NumBoardMembers1:Usize,
-              ?NumProposers1:Usize,
-              ?UserRoles1:Map,
-              ?Quorum1:Usize,
-              ?ActionLastIndex1:Usize,
-              ?ActionData1:Map,
-              ?ActionSigners1:Map,
-              ?_PerformedActions:List):StateCell
-        </TT></T>
-    requires true
-        andBool invariant(
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserRoles:Map,
-            Quorum:Usize,
-            ActionLastIndex0:Usize,
-            ActionData0:Map,
-            ActionSigners0:Map,
-            expand(expanded))
-        andBool ActionId in_keys(ActionData)
-        andBool isAddProposer({ActionData[ActionId]}:>Action)
-    ensures invariant(
-        ?NumUsers1:Usize,
-        ?UserIdToAddress1:Map,
-        ?AddressToUserId1:Map,
-        ?NumBoardMembers1:Usize,
-        ?NumProposers1:Usize,
-        ?UserRoles1:Map,
-        ?Quorum1:Usize,
-        ?ActionLastIndex1:Usize,
-        ?ActionData1:Map,
-        ?ActionSigners1:Map,
-        usesExpanded)
-    //@ proof
-    //@ trusted
-    // [trusted]
-    //@ end
-endmodule
diff --git a/multisig/protocol-correctness/proof/map/map-execute.k b/multisig/protocol-correctness/proof/map/map-execute.k
index e94b98b6c..9592909b8 100644
--- a/multisig/protocol-correctness/proof/map/map-execute.k
+++ b/multisig/protocol-correctness/proof/map/map-execute.k
@@ -12,6 +12,8 @@ module MAP-EXECUTE
   // A (K |-> V M:Map) map representation is bottom if `K in_keys(M)`, hence
   // the function-based representation below. This means that whatever function
   // is using these can manipulate them only through simplification rules.
+  //
+  // TODO: Consider replacing these with Map[<-] or something similar.
   syntax Map  ::= opaque(Map)  [function, functional]
                 | concat(key:KItem, value:KItem, Map)  [function, functional, no-evaluators]
                 | extractMap(Map)   [function, functional]

From 5ee9edbf0011e7d7e7b89555bbf6764e97fc5616 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Fri, 23 Apr 2021 16:08:00 +0300
Subject: [PATCH 34/37] Perform parts remove and malicious user

---
 multisig/kompile_tool/kprove-kompile.sh       |   4 +-
 multisig/protocol-correctness/invariant.k     | 186 ------
 .../proof/execution-proof-helpers.k           |  16 +
 .../proof/functions/BUILD                     |   4 +-
 .../proof/functions/proof-count-can-sign.k    |   1 +
 .../proof-discard-action-has-signers.k        |   1 +
 ...iscard-action-no-valid-signers-no-action.k |   1 +
 .../proof-discard-action-no-valid-signers.k   |   1 +
 .../protocol-correctness/proof/invariant.k    |  69 +--
 .../proof/invariant/BUILD                     |  89 ++-
 .../proof/invariant/proof-perform-parts-1.k   | 573 ++++++++++++++++++
 ...-perform-parts-change-quorum-with-quorum.k |  71 +++
 .../proof-perform-parts-change-quorum.k       | 123 ++--
 .../proof-perform-parts-remove-user-eq.k      | 104 ++++
 .../proof-perform-parts-remove-user-neq.k     | 111 ++++
 .../proof-perform-parts-remove-user.k         | 104 ++++
 .../proof/malicious-user/BUILD                |  12 +
 .../malicious-user/malicious-user-execute.k   | 148 ++++-
 .../proof/malicious-user/malicious-user.mak   |   9 +-
 .../proof/malicious-user/proofs/BUILD         |  10 +
 .../{ => proofs}/proof-call-invariant.k       |   0
 .../{ => proofs}/proof-cannot-perform.k       |  55 +-
 multisig/protocol-correctness/pseudocode.k    |  31 +-
 23 files changed, 1348 insertions(+), 375 deletions(-)
 delete mode 100644 multisig/protocol-correctness/invariant.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-1.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-with-quorum.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-eq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-neq.k
 create mode 100644 multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user.k
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/BUILD
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
 rename multisig/protocol-correctness/proof/malicious-user/{ => proofs}/proof-call-invariant.k (100%)
 rename multisig/protocol-correctness/proof/malicious-user/{ => proofs}/proof-cannot-perform.k (50%)

diff --git a/multisig/kompile_tool/kprove-kompile.sh b/multisig/kompile_tool/kprove-kompile.sh
index f2fa60dcf..274b4457e 100755
--- a/multisig/kompile_tool/kprove-kompile.sh
+++ b/multisig/kompile_tool/kprove-kompile.sh
@@ -35,7 +35,7 @@ trap 'rm -rf -- "$TMP_DIR"' EXIT
 cp -rL $KOMPILE_DIR $TMP_DIR
 chmod -R a+w $TMP_DIR/*
 
-pushd $TMP_DIR
+pushd $TMP_DIR > /dev/null
 
 $KPROVE \
   --spec-module "$MODULE_NAME" \
@@ -45,7 +45,7 @@ $KPROVE \
 SPEC_FILE=$(cat output | grep kore-exec | sed 's/^.*--prove \([^ ]*\) .*$/\1/')
 COMMAND=$(cat output | grep kore-exec)
 
-popd
+popd > /dev/null
 
 cp $SPEC_FILE $SPEC_OUTPUT
 
diff --git a/multisig/protocol-correctness/invariant.k b/multisig/protocol-correctness/invariant.k
deleted file mode 100644
index f61280770..000000000
--- a/multisig/protocol-correctness/invariant.k
+++ /dev/null
@@ -1,186 +0,0 @@
-module INVARIANT-SYNTAX
-  imports PROOF-CONFIGURATION
-
-  syntax Bool ::= invariant(MultisigState, ProofState)  [function]
-endmodule
-
-module INVARIANT
-  imports PROOF-CONFIGURATION
-
-  rule invariant(NoState) => true
-  rule invariant(
-          multisigState(
-              U:Users,
-              B:BoardState,
-              actionState(ActionLastIndex:usize, Actions:Actions)),
-          proofState(AL:ActionLog, VL:VoteLog, UL:UserLog))
-      => true
-        // non-empty board, board members >= quorum
-        andBool canVote(U, B)
-        andBool canPropose()
-        // at execution time, an action was signed by at least 'quorum'
-        // board members.
-        // TODO: If a user votes, is removed, is re-added, should the vote count?
-        // TODO: There is a weird thing about removing an action by removing the
-        // last signature, which, practically, performs an action without votes.
-        andBool allExecutedActionsWereAddedThenSigned()
-        // TODO: Do I need these?
-        andBool eachProposedActionGetsNewId()
-        andBool eachNewUserGetsANewId()
-        andBool stateReflectsActions()
-        // consistency checks - TODO: Which of them do I need?
-        andBool realVotesCorrespondToLog(RealVotes, AL, VL, UL)
-        // cineva nu poate bloca
-        // gazul creste liniar cu nr de board_memberi
-        // ultima persoana sa nu poata pleca.
-
-  syntax Bool ::= canVote(MasterLog)  [function]
-  // Normally I should also check that the board users are valid users.
-  // Also, I should not use the cached quorum, but the actual one.
-  rule canVote(MasterLog)
-      => true
-        andBool computeQuorum(MasterLog) <=Int computeBoardSize(MasterLog)
-        andBool 0 <Int computeBoardSize(MasterLog)
-
-  syntax Bool ::= canPropose(MasterLog)  [function]
-  rule canPropose(MasterLog)
-      => false
-        orBool 0 <Int computeProposerCount(MasterLog)
-        orBool 0 <Int computeBoardSize(MasterLog)
-
-  syntax Bool ::= allExecutedActionsWereAddedThenSigned(MasterLog)  [function]
-  rule allExecutedActionsWereAddedThenSigned(.List) => true
-  rule allExecutedActionsWereAddedThenSigned(MasterLog:List A:Action)
-      => allExecutedActionsWereAddedThenSigned(MasterLog:List)
-    requires notBool isExecution(A)
-  rule allExecutedActionsWereAddedThenSigned(MasterLog:List Execute(ActionId))
-      => true
-        andBool allExecutedActionsWereAddedThenSigned(MasterLog:List)
-        andBool computeQuorum(MasterLog) <=Int computeValidVotesCount(ActionId, MasterLog)
-
-  syntax Int ::= computeBoardSize(MasterLog)  [function]
-  rule computeBoardSize(MasterLog Execute(AddBoardMember(X)))
-      => computeBoardSize(MasterLog)
-    requires boardAlreadyContains(MasterLog, X)
-  rule computeBoardSize(MasterLog Execute(AddBoardMember(X)))
-      => computeBoardSize(MasterLog) + 1
-    requires notBool boardAlreadyContains(MasterLog, X)
-  rule computeBoardSize(MasterLog Execute(AddProposer(X)))
-      => computeBoardSize(MasterLog) -Int 1
-    requires boardAlreadyContains(MasterLog, X)
-  rule computeBoardSize(MasterLog Execute(AddProposer(X)))
-      => computeBoardSize(MasterLog)
-    requires notBool boardAlreadyContains(MasterLog, X)
-  rule computeBoardSize(MasterLog Execute(RemoveUser(X)))
-      => computeBoardSize(MasterLog) -Int 1
-    requires boardAlreadyContains(MasterLog, X)
-  rule computeBoardSize(MasterLog Execute(RemoveUser(X)))
-      => computeBoardSize(MasterLog)
-    requires notBool boardAlreadyContains(MasterLog, X)
-  rule computeQuorum(MasterLog A) => computeQuorum(MasterLog)  [owise]
-
-  syntax Bool ::= boardAlreadyContains(MasterLog, UserId)  [function]
-  rule boardAlreadyContains(MasterLog Execute(RemoveUser(UserId)), UserId) => false
-  rule boardAlreadyContains(MasterLog Execute(AddProposer(UserId)), UserId) => false
-  rule boardAlreadyContains(MasterLog Execute(AddBoardMember(UserId)), UserId) => true
-  rule boardAlreadyContains(MasterLog _, UserId) => boardAlreadyContains(MasterLog, UserId)
-
-  syntax Int ::= computeQuorum(MasterLog)  [function]
-  rule computeQuorum(MasterLog Execute(ChangeQuorum(X))) => X
-  rule computeQuorum(MasterLog A) => computeQuorum(MasterLog)
-    requires notBool isChangeQuorum(MasterLog, A)
-
-  syntax Int ::= computeProposerCount(MasterLog)  [function]
-  rule computeProposerCount(MasterLog Execute(AddProposer(X)))
-      => computeProposerCount(MasterLog)
-    requires isAlreadyProposer(MasterLog, X)
-  rule computeProposerCount(MasterLog Execute(AddProposer(X)))
-      => computeProposerCount(MasterLog) + 1
-    requires notBool isAlreadyProposer(MasterLog, X)
-  rule computeProposerCount(MasterLog Execute(RemoveUser(X)))
-      => computeProposerCount(MasterLog) - 1
-    requires isAlreadyProposer(MasterLog, X)
-  rule computeProposerCount(MasterLog Execute(RemoveUser(X)))
-      => computeProposerCount(MasterLog)
-    requires notBool isAlreadyProposer(MasterLog, X)
-
-
-  syntax Bool ::= isAlreadyProposer(MasterLog, UserId)  [function]
-  rule isAlreadyProposer(MasterLog Execute(RemoveUser(UserId)), UserId) => false
-  rule isAlreadyProposer(MasterLog Execute(AddProposer(UserId)), UserId) => true
-  rule isAlreadyProposer(MasterLog Execute(AddBoardMember(UserId)), UserId) => false
-  rule isAlreadyProposer(MasterLog _, UserId) => isAlreadyProposer(MasterLog, UserId)
-
-  // What I really want is card({x | x is a board member & last_vote_action(x, A) = "vote(A)"})
-  syntax Int ::= computeValidVotesCount(ActionId, MasterLog)  [function]
-  rule computeValidVotesCount(Action, MasterLog Execute(RemoveUser(X)))
-      => computeValidVotesCount(Action, MasterLog) - 1
-    requires userHasSigned(X, Action, MasterLog) andBool actionExists(Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(RemoveUser(X)))
-      => computeValidVotesCount(Action, MasterLog)
-    requires notBool userHasSigned(X, Action, MasterLog) andBool actionExists(Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(AddProposer(X)))
-      => computeValidVotesCount(Action, MasterLog) - 1
-    requires userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(AddProposer(X)))
-      => computeValidVotesCount(Action, MasterLog)
-    requires notBool userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(AddBoardMember(X)))
-      => computeValidVotesCount(Action, MasterLog) + 1
-    requires userHasSignature(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(AddBoardMember(X)))
-      => computeValidVotesCount(Action, MasterLog)
-    requires notBool userHasSignature(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(unsign(X, Action)))
-      => computeValidVotesCount(Action, MasterLog) - 1
-    requires userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(unsign(X, Action)))
-      => computeValidVotesCount(Action, MasterLog)
-    requires notBool userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
-      => computeValidVotesCount(Action, MasterLog) + 1
-    requires boardAlreadyContains(X, MasterLog)
-      andBool notBool userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
-      => computeValidVotesCount(Action, MasterLog)
-    requires boardAlreadyContains(X, MasterLog)
-      andBool userHasSigned(X, Action, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog Execute(sign(X, Action)))
-      => stuck
-    requires notBool boardAlreadyContains(X, MasterLog)
-  rule computeValidVotesCount(Action, MasterLog _) => computeValidVotesCount(Action, MasterLog)
-
-  syntax Bool ::= userHasSigned(UserId, ActionId, MasterLog)
-  rule userHasSigned(UserId, ActionId, MasterLog)
-      =>  boardAlreadyContains(UserId, MasterLog)  // TODO: Use "userCanVote"
-          andBool userHasSignature(UserId, ActionId, MasterLog)
-
-  syntax Bool ::= userHasSignature(UserId, ActionId, MasterLog)
-  rule userHasSignature(UserId, ActionId, MasterLog Execute(unsign(UserId, ActionId)))
-      => false
-  rule userHasSignature(UserId, ActionId, MasterLog Execute(sign(UserId, ActionId)))
-      => true
-  rule userHasSignature(UserId, ActionId, MasterLog _)
-      => userHasSignature(UserId, ActionId, MasterLog)  [owise]
-
-  /*
-  syntax Bool ::= eachProposedActionGetsNewId(MasterLog)  [owise]
-  rule eachProposedActionGetsNewId(MasterLog Execute(AddAction(X)))
-  */
-
-  syntax Bool ::= stateReflectsActions(State, MasterLog)  [function]
-  rule stateReflectsActions() => true
-        // consistency checks - TODO: Which of them do I need?
-        andBool userRoleReflectsActions()
-        andBool quorumReflectsActions()
-        // both the board and the board size
-        andBool boardReflectsActions()
-        andBool proposerCountReflectsActions()
-        andBool usersReflectActions()
-        andBool votesAreValid()
-
-        andBool lastIndexIsMaxUsed(ActionLastIndex, AL)
-        andBool actionsCorrespondToLog(Actions, AL)
-        andBool votesCorrespondToLog(Actions, VL)
-        andBool usersCorrespondToLog(Users, UL)
-endmodule
diff --git a/multisig/protocol-correctness/proof/execution-proof-helpers.k b/multisig/protocol-correctness/proof/execution-proof-helpers.k
index fef3cf23e..ea995c31a 100644
--- a/multisig/protocol-correctness/proof/execution-proof-helpers.k
+++ b/multisig/protocol-correctness/proof/execution-proof-helpers.k
@@ -101,6 +101,15 @@ module EXECUTION-PROOF-HELPERS
       => isUsize(E) andBool listElementsAreUsize([Es])
     [simplification]
 
+  syntax Bool ::= listElementsAreDistinct(KItem)  [function, functional]
+  rule listElementsAreDistinct([.]) => true
+  rule listElementsAreDistinct([E:Expression, Es:ExpressionCSV])
+      => true
+          andBool notBool #listContains([Es], E)
+          andBool listElementsAreDistinct([Es])
+  rule listElementsAreDistinct(_:KItem) => false
+    [owise]
+
   syntax Bool ::= valuesAreExpressionListOfUsize(Map)  [function, functional]
   rule valuesAreExpressionListOfUsize(.Map) => true
   rule valuesAreExpressionListOfUsize((_ |-> V M:Map) #as _:Map)
@@ -434,6 +443,9 @@ module EXECUTION-PROOF-HELPERS
   rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], UserId |-> Role:UserRole M:Map)
       => 1 +Int countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
     requires canSignFunction(Role)
+  rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], M:Map)
+      => countCanSignFunction([Es], M)  // Remove UserId from the map since each user is counted at most once.
+    requires notBool UserId in_keys(M)
   rule countCanSignFunction([_:Expression, Es:ExpressionCSV], M)
       => countCanSignFunction([Es], M)
     [owise]
@@ -454,6 +466,10 @@ module EXECUTION-PROOF-HELPERS
     requires notBool #listContains(Es, UserId)
     [simplification]
 
+  rule countCanSignFunction(Es:ExpressionList, concat(UserId:KItem, _Role:UserRole, M:Map))
+      => countCanSignFunction(Es, M)
+    requires notBool #listContains(Es, UserId)
+    [simplification]
   rule countCanSignFunction([UserId:Usize, Es:ExpressionCSV], concat(UserId1:KItem, Role:UserRole, M:Map))
     => #countCanSignFunction(UserId, [Es], concat(UserId1, Role, M), concat(UserId1, Role, M)[UserId] orDefault None)
     [simplification]
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 2113a1e3a..29164934c 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -246,6 +246,7 @@ kprove_test(
       ":trusted-perform-action-id-add-proposer-Proposer",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",
 )
 
 kprove_test(
@@ -769,7 +770,8 @@ kprove_test(
   srcs = ["proof-count-can-sign.k"],
   semantics = ":functions-execute",
   timeout = "moderate",
-  breadth = "3",
+  breadth = "6",
+  # depth ~= 61
 )
 
 kprove_test(
diff --git a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
index 69f750a35..ac401906c 100644
--- a/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
+++ b/multisig/protocol-correctness/proof/functions/proof-count-can-sign.k
@@ -51,6 +51,7 @@ module PROOF-COUNT-CAN-SIGN
         andBool isKResult(SignerIds)
         andBool listElementsAreUsize(SignerIds)
         andBool userIdToRoleInvariant(UserIdToRole)
+        andBool listElementsAreDistinct(SignerIds)
     ensures true
   //@ proof
   //@ trusted
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
index 742a4af01..23cf9d832 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-has-signers.k
@@ -58,6 +58,7 @@ module PROOF-DISCARD-ACTION-HAS-SIGNERS
       andBool isKResult(SignerIds)
       andBool listElementsAreUsize(SignerIds)
       andBool userIdToRoleInvariant(UserIdToRole)
+      andBool listElementsAreDistinct(SignerIds)
 
 
       andBool (Role ==K BoardMember orBool Role ==K Proposer)
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
index c31444f16..e5dfe0a83 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers-no-action.k
@@ -59,6 +59,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS-NO-ACTION
 
       andBool isKResult(SignerIds)
       andBool listElementsAreUsize(SignerIds)
+      andBool listElementsAreDistinct(SignerIds)
       andBool userIdToRoleInvariant(UserIdToRole)
 
 
diff --git a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
index ca28304da..a65345a59 100644
--- a/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
+++ b/multisig/protocol-correctness/proof/functions/proof-discard-action-no-valid-signers.k
@@ -57,6 +57,7 @@ module PROOF-DISCARD-ACTION-NO-VALID-SIGNERS
 
       andBool isKResult(SignerIds)
       andBool listElementsAreUsize(SignerIds)
+      andBool listElementsAreDistinct(SignerIds)
       andBool userIdToRoleInvariant(UserIdToRole)
 
 
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 8b319638e..824c6bb4a 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -55,6 +55,7 @@ module INVARIANT-HELPERS
       andBool isExpressionList(V) andBool listElementsAreUsize(V) // valuesAreExpressionListOfUsize(ActionSigners)
       andBool isKResult(V)  // valuesAreKResult(ActionSigners)
       andBool valueIsNotEmpty(V, rExpressionList)  // valuesAreNotEmpty(ActionSigners, rExpressionList)
+      andBool listElementsAreDistinct(V)
 
       andBool actionSignersInvariant(ActionSigners)
     [simplification]
@@ -251,7 +252,7 @@ module INVARIANT
             </actions>
           </action-state>
         </multisig-state>
-   
+
   syntax Bool ::= invariant(
       numUsers:Usize,
       userIdToAddress:Map,
@@ -309,6 +310,7 @@ module INVARIANT
       andBool actionSignersInvariant(ActionSigners)
       // andBool valuesAreExpressionListOfUsize(ActionSigners)
       // andBool valuesAreKResult(ActionSigners)
+      // andBool valuesAreExpressionListOfDistinctElements(ActionSigners)
 
       andBool actionDataInvariant(ActionData)
       // andBool valuesAreOfType(ActionData, rAction)
@@ -350,71 +352,6 @@ module INVARIANT
     requires false
       orBool addressToUserIdInvariant(M)
 
-  // TODO: Delete.
-  syntax Bool ::= invariantDebug(
-      numUsers:Usize,
-      userIdToAddress:Map,
-      addressToUserId:Map,
-      numBoardMembers:Usize,
-      numProposers:Usize,
-      userIdToRole:Map,
-      quorum:Usize,
-      actionLastIndex:Usize,
-      actionData:Map,
-      actionSigners:Map,
-      handling:PropertyHandling)  [function, functional]
-
-  rule invariantDebug(
-      u(NumUsers:Int),
-      UserIdToAddress:Map,
-      AddressToUserId:Map,
-      u(NumBoardMembers:Int),
-      u(NumProposers:Int),
-      UserIdToRole:Map,
-      u(Quorum:Int),
-      u(ActionLastIndex:Int),
-      ActionData:Map,
-      ActionSigners:Map,
-      Handling:PropertyHandling)
-    => true
-      andBool notBool u(0) in_keys(UserIdToAddress)
-      andBool notBool u(0) in_keys(UserIdToRole)
-
-      andBool allValuesBecomeKeys(AddressToUserId, UserIdToAddress)
-      andBool allValuesBecomeKeys(UserIdToAddress, AddressToUserId)
-
-      andBool valuesAreOfType(AddressToUserId, rUsize)
-      andBool valuesAreKResult(AddressToUserId)
-      andBool valuesAreNotEmpty(AddressToUserId, rUsize)
-      andBool unusedIdsInMapValues(NumUsers +Int 1, AddressToUserId, Handling)
-      andBool valuesAreDistinct(AddressToUserId)
-
-      andBool valuesAreOfType(UserIdToRole, rUserRole)
-      andBool valuesAreKResult(UserIdToRole)
-      andBool valuesAreNotEmpty(UserIdToRole, rUserRole)
-      andBool unusedIdsInMapKeys(NumUsers +Int 1, keysMap(UserIdToRole), Handling)
-
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionData), Handling)
-      andBool unusedIdsInMapKeys(ActionLastIndex +Int 1, keysMap(ActionSigners), Handling)
-      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionData))
-      andBool maxMapKey(u(ActionLastIndex), keysMap(ActionSigners))
-
-      andBool valuesAreExpressionListOfUsize(ActionSigners)
-      andBool valuesAreKResult(ActionSigners)
-
-      andBool valuesAreOfType(ActionData, rAction)
-      andBool valuesAreKResult(ActionData)
-
-      andBool NumUsers >=Int 0 // TODO: Strict >?
-      andBool NumBoardMembers >=Int 0
-      andBool NumProposers >=Int 0
-
-      andBool Quorum <=Int NumBoardMembers
-      andBool (NumBoardMembers +Int NumProposers >Int 0)
-
-      andBool NumBoardMembers ==Int countMapValues(UserIdToRole, wrap(BoardMember))
-      andBool NumProposers ==Int countMapValues(UserIdToRole, wrap(Proposer))
-
   syntax Bool ::= subset(Map, Map)  [function, functional]
   rule subset(K:KItem |-> _:KItem M:Map, N:Map)
       => K in_keys(N) andBool subset(M, N)
diff --git a/multisig/protocol-correctness/proof/invariant/BUILD b/multisig/protocol-correctness/proof/invariant/BUILD
index 004de6487..b4374a00a 100644
--- a/multisig/protocol-correctness/proof/invariant/BUILD
+++ b/multisig/protocol-correctness/proof/invariant/BUILD
@@ -12,6 +12,19 @@ kompile(
   ],
 )
 
+klibrary(
+  name = "invariant-execution-files",
+  srcs = ["invariant-execution.k"],
+  deps = [
+      ":count-can-sign-parts-files",
+      ":init-loop-parts-files",
+      ":perform-parts-files",
+      "//protocol-correctness/proof:execution-proof-files",
+      "//protocol-correctness/proof/functions:functions-execute-files",
+  ],
+  visibility = ["//visibility:public"],
+)
+
 # TODO: Delete.
 klibrary(
   name = "count-can-sign-parts-files",
@@ -65,7 +78,7 @@ kprove_test(
   trusted = [
       ":trusted-perform-parts-add-board-member",
       # ":trusted-perform-parts-add-proposer",
-      # ":trusted-perform-parts-change-quorum",
+      # ":trusted-perform-parts-change-quorum-with-quorum",
       # ":trusted-perform-parts-change-quorum-no-quorum",
       # ":trusted-perform-parts-New",
       # ":trusted-perform-parts-no-quorum",
@@ -87,22 +100,36 @@ kprove_test(
       ":trusted-perform-parts-add-proposer-signers",
       ":trusted-perform-parts-add-proposer-no-signers",
       ":trusted-perform-parts-change-quorum",
-      ":trusted-perform-parts-change-quorum-no-quorum",
       ":trusted-perform-parts-New",
       ":trusted-perform-parts-no-quorum",
       ":trusted-perform-parts-None",
-      # ":trusted-perform-parts-Nothing",
       ":trusted-perform-parts-remove-user",
       ":trusted-perform-parts-sc-call",
       ":trusted-perform-parts-sc-deploy",
       ":trusted-perform-parts-send-egld",
   ],
   semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "7",
+  #depth ???
 )
 
 kprove_test(
   name = "proof-perform-parts-change-quorum",
   srcs = ["proof-perform-parts-change-quorum.k"],
+  trusted = [
+      ":trusted-perform-parts-change-quorum-with-quorum",
+      ":trusted-perform-parts-change-quorum-no-quorum",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "6",
+  # depth = 21
+)
+
+kprove_test(
+  name = "proof-perform-parts-change-quorum-with-quorum",
+  srcs = ["proof-perform-parts-change-quorum-with-quorum.k"],
   trusted = [
       "//protocol-correctness/proof/functions:trusted-perform-action-endpoint-change-quorum",
   ],
@@ -311,20 +338,44 @@ kprove_test(
   name = "proof-perform-parts-remove-user",
   srcs = ["proof-perform-parts-remove-user.k"],
   trusted = [
-      ":trusted-perform-parts-remove-user-BoardMember-eq",
-      ":trusted-perform-parts-remove-user-BoardMember-too-few-eq",
-      ":trusted-perform-parts-remove-user-BoardMember",
-      ":trusted-perform-parts-remove-user-BoardMember-too-few",
+      ":trusted-perform-parts-remove-user-eq",
+      ":trusted-perform-parts-remove-user-neq",
       ":trusted-perform-parts-remove-user-New",
       ":trusted-perform-parts-remove-user-None",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "9",
+  # depth = 32
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-eq",
+  srcs = ["proof-perform-parts-remove-user-eq.k"],
+  trusted = [
+      ":trusted-perform-parts-remove-user-BoardMember-eq",
+      ":trusted-perform-parts-remove-user-BoardMember-too-few-eq",
       ":trusted-perform-parts-remove-user-Proposer-eq",
       ":trusted-perform-parts-remove-user-Proposer-nobody-left-eq",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "12",
+  # depth = ~24
+)
+
+kprove_test(
+  name = "proof-perform-parts-remove-user-neq",
+  srcs = ["proof-perform-parts-remove-user-neq.k"],
+  trusted = [
+      ":trusted-perform-parts-remove-user-BoardMember",
+      ":trusted-perform-parts-remove-user-BoardMember-too-few",
       ":trusted-perform-parts-remove-user-Proposer",
       ":trusted-perform-parts-remove-user-Proposer-nobody-left",
   ],
   semantics = ":invariant-execution",
   timeout = "eternal",
-  breadth = "5",
+  breadth = "13",
   # depth = ~25
 )
 
@@ -743,8 +794,8 @@ ktrusted(
 )
 
 ktrusted(
-  name = "trusted-perform-parts-change-quorum",
-  srcs = ["proof-perform-parts-change-quorum.k"],
+  name = "trusted-perform-parts-change-quorum-with-quorum",
+  srcs = ["proof-perform-parts-change-quorum-with-quorum.k"],
   visibility = ["//visibility:public"],
 )
 
@@ -784,6 +835,24 @@ ktrusted(
   visibility = ["//visibility:public"],
 )
 
+ktrusted(
+  name = "trusted-perform-parts-remove-user-eq",
+  srcs = ["proof-perform-parts-remove-user-eq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-remove-user-neq",
+  srcs = ["proof-perform-parts-remove-user-neq.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-perform-parts-change-quorum",
+  srcs = ["proof-perform-parts-change-quorum.k"],
+  visibility = ["//visibility:public"],
+)
+
 ktrusted(
   name = "trusted-perform-parts-sc-call",
   srcs = ["proof-perform-parts-sc-call.k"],
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-1.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-1.k
new file mode 100644
index 000000000..cf05f2337
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-1.k
@@ -0,0 +1,573 @@
+//@ proof
+require "trusted-perform-parts-add-board-member.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-signers.k"  //@ Bazel remove
+require "trusted-perform-parts-add-proposer-no-signers.k"  //@ Bazel remove
+require "trusted-perform-parts-change-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-New.k"  //@ Bazel remove
+require "trusted-perform-parts-no-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-None.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user.k"  //@ Bazel remove
+require "trusted-perform-parts-sc-call.k"  //@ Bazel remove
+require "trusted-perform-parts-sc-deploy.k"  //@ Bazel remove
+require "trusted-perform-parts-send-egld.k"  //@ Bazel remove
+
+
+module PROOF-PERFORM-PARTS-1
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-SIGNERS
+  imports TRUSTED-PERFORM-PARTS-ADD-PROPOSER-NO-SIGNERS
+  imports TRUSTED-PERFORM-PARTS-CHANGE-QUORUM
+  imports TRUSTED-PERFORM-PARTS-NEW
+  imports TRUSTED-PERFORM-PARTS-NO-QUORUM
+  imports TRUSTED-PERFORM-PARTS-NONE
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER
+  imports TRUSTED-PERFORM-PARTS-SC-CALL
+  imports TRUSTED-PERFORM-PARTS-SC-DEPLOY
+  imports TRUSTED-PERFORM-PARTS-SEND-EGLD
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-1
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitAction(Action:Action)
+              ~> splitPerformActionEndpoint4(Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action _ActionData:Map) #as ActionData:Map,
+              (ActionId |-> Signers:ExpressionList _ActionSigners:Map) #as ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
+
+/*
+  #Not ( {
+    A
+  #Equals
+    Nothing
+  } )
+#And
+  #Not ( {
+    CSV
+  #Equals
+    .
+  } )
+#And
+  #Not ( {
+    V
+  #Equals
+    0
+  } )
+#And
+  #Not ( {
+    V
+  #Equals
+    NumUsers0 +Int 1
+  } )
+#And
+  #Not ( {
+    V
+  #Equals
+    NumUsers0 +Int 2
+  } )
+#And
+  #Not ( {
+    _ActionId0
+  #Equals
+    ActionLastIndex1 +Int 1
+  } )
+#And
+  <T>
+    <TT>
+      <k>
+        splitAction ( A ) ~> splitPerformActionEndpoint4 ( A ) ~> call ( performActionEndpoint ( u ( _ActionId0 ) ) ) ~> popContext ~> evaluateReturnValue ~> clearExternalCallEnv ~> splitActionSigners ( u ( _ActionId0 ) , 'QuesUnds'Remainder1
+        u ( _ActionId0 ) |-> [ CSV ] ) ~> runExternalCalls ( EC ) ~> .
+      </k>
+      <state>
+        <multisig-state>
+          <users>
+            <num-users>
+              u ( NumUsers0 )
+            </num-users>
+            <user-id-to-address>
+              UserIdToAddress
+            </user-id-to-address>
+            <address-to-user-id>
+              'QuesUnds'Remainder
+              address ( _1 ) |-> u ( V )
+            </address-to-user-id>
+          </users>
+          <board-state>
+            <num-board-members>
+              u ( countMapValues ( 'QuesUnds'Remainder0 , wrap ( BoardMember ) ) )
+            </num-board-members>
+            <num-proposers>
+              u ( countMapValues ( 'QuesUnds'Remainder0 , wrap ( Proposer ) ) +Int 1 )
+            </num-proposers>
+            <user-roles>
+              'QuesUnds'Remainder0
+              u ( V ) |-> Proposer
+            </user-roles>
+            <quorum>
+              u ( Quorum0 )
+            </quorum>
+          </board-state>
+          <action-state>
+            <action-last-index>
+              u ( ActionLastIndex1 )
+            </action-last-index>
+            <actions>
+              <action-data>
+                'QuesUnds'Remainder2
+                u ( _ActionId0 ) |-> A:Action
+              </action-data>
+              <action-signers>
+                'QuesUnds'Remainder1
+                u ( _ActionId0 ) |-> [ CSV ]
+              </action-signers>
+            </actions>
+          </action-state>
+        </multisig-state>
+        <pseudocode-state>
+          <variables>
+            .Map
+          </variables>
+          <stack>
+            stack ( <multisig-state>
+              <users>
+                <num-users>
+                  u ( NumUsers0 )
+                </num-users>
+                <user-id-to-address>
+                  UserIdToAddress
+                </user-id-to-address>
+                <address-to-user-id>
+                  'QuesUnds'Remainder
+                  address ( _1 ) |-> u ( V )
+                </address-to-user-id>
+              </users>
+              <board-state>
+                <num-board-members>
+                  u ( countMapValues ( 'QuesUnds'Remainder0 , wrap ( BoardMember ) ) )
+                </num-board-members>
+                <num-proposers>
+                  u ( countMapValues ( 'QuesUnds'Remainder0 , wrap ( Proposer ) ) +Int 1 )
+                </num-proposers>
+                <user-roles>
+                  'QuesUnds'Remainder0
+                  u ( V ) |-> Proposer
+                </user-roles>
+                <quorum>
+                  u ( Quorum0 )
+                </quorum>
+              </board-state>
+              <action-state>
+                <action-last-index>
+                  u ( ActionLastIndex1 )
+                </action-last-index>
+                <actions>
+                  <action-data>
+                    'QuesUnds'Remainder2
+                    u ( _ActionId0 ) |-> A:Action
+                  </action-data>
+                  <action-signers>
+                    'QuesUnds'Remainder1
+                    u ( _ActionId0 ) |-> [ CSV ]
+                  </action-signers>
+                </actions>
+              </action-state>
+            </multisig-state> , .Map , _PerformedActions , .stack )
+          </stack>
+        </pseudocode-state>
+        <external-call-env>
+          <caller-address>
+            address ( _1 )
+          </caller-address>
+        </external-call-env>
+        <log>
+          <performed-actions>
+            _PerformedActions
+          </performed-actions>
+        </log>
+      </state>
+    </TT>
+  </T>
+#And
+  {
+    'QuesUnds'Value0
+  #Equals
+    Proposer
+  }
+#And
+  {
+    'QuesUnds'Value1
+  #Equals
+    [ CSV ]
+  }
+#And
+  {
+    'QuesUnds'Value2
+  #Equals
+    A:Action
+  }
+#And
+  {
+    'QuesUnds'Value
+  #Equals
+    u ( V )
+  }
+#And
+  {
+    ActionData0
+  #Equals
+    'QuesUnds'Remainder2
+    u ( _ActionId0 ) |-> A:Action
+  }
+#And
+  {
+    ActionSigners0
+  #Equals
+    'QuesUnds'Remainder1
+    u ( _ActionId0 ) |-> [ CSV ]
+  }
+#And
+  {
+    AddressToUserId
+  #Equals
+    'QuesUnds'Remainder
+    address ( _1 ) |-> u ( V )
+  }
+#And
+  {
+    U0
+  #Equals
+    Proposer
+  }
+#And
+  {
+    U
+  #Equals
+    u ( V )
+  }
+#And
+  {
+    UserRoles
+  #Equals
+    'QuesUnds'Remainder0
+    u ( V ) |-> Proposer
+  }
+#And
+  {
+    V0
+  #Equals
+    [ CSV ]
+  }
+#And
+  {
+    false
+  #Equals
+    address ( _1 ) in_keys ( 'QuesUnds'Remainder )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( 0 ) in_keys ( 'QuesUnds'Remainder0 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( 0 ) in_keys ( UserIdToAddress )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( ActionLastIndex1 +Int 1 ) in_keys ( 'QuesUnds'Remainder1 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( ActionLastIndex1 +Int 1 ) in_keys ( 'QuesUnds'Remainder2 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( NumUsers0 +Int 1 ) in_keys ( 'QuesUnds'Remainder0 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( NumUsers0 +Int 1 ) in_keys ( UserIdToAddress )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( V ) in_keys ( 'QuesUnds'Remainder0 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( _ActionId0 ) in_keys ( 'QuesUnds'Remainder1 )
+  }
+#And
+  {
+    false
+  #Equals
+    u ( _ActionId0 ) in_keys ( 'QuesUnds'Remainder2 )
+  }
+#And
+  {
+    true
+  #Equals
+    #allValuesBecomeKeys ( 'QuesUnds'Remainder , keysMap ( UserIdToAddress ) )
+  }
+#And
+  {
+    true
+  #Equals
+    #allValuesBecomeKeys ( UserIdToAddress , address ( _1 ) |-> 0
+    keysMap ( 'QuesUnds'Remainder ) )
+  }
+#And
+  {
+    true
+  #Equals
+    #noReusedIndexValue ( NumUsers0 +Int 2 , 'QuesUnds'Remainder , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    NumUsers0 +Int 1 >Int V
+  }
+#And
+  {
+    true
+  #Equals
+    NumUsers0 >=Int 0
+  }
+#And
+  {
+    true
+  #Equals
+    Quorum0 <=Int countCanSignFunction ( [ CSV ] , concat ( u ( V ) , Proposer , opaque ( 'QuesUnds'Remainder0 ) ) )
+  }
+#And
+  {
+    true
+  #Equals
+    Quorum0 <=Int countMapValues ( 'QuesUnds'Remainder0 , wrap ( BoardMember ) )
+  }
+#And
+  {
+    true
+  #Equals
+    _ActionId0 <=Int ActionLastIndex1
+  }
+#And
+  {
+    true
+  #Equals
+    actionDataInvariant ( 'QuesUnds'Remainder2 )
+  }
+#And
+  {
+    true
+  #Equals
+    actionSignersInvariant ( 'QuesUnds'Remainder1 )
+  }
+#And
+  {
+    true
+  #Equals
+    addressToUserIdInvariant ( 'QuesUnds'Remainder )
+  }
+#And
+  {
+    true
+  #Equals
+    countMapValues ( 'QuesUnds'Remainder0 , wrap ( BoardMember ) ) >=Int 0
+  }
+#And
+  {
+    true
+  #Equals
+    countMapValues ( 'QuesUnds'Remainder0 , wrap ( Proposer ) ) +Int 1 >=Int 0
+  }
+#And
+  {
+    true
+  #Equals
+    isKResult ( CSV:ExpressionCSV ~> . )
+  }
+#And
+  {
+    true
+  #Equals
+    isKResultAction ( A )
+  }
+#And
+  {
+    true
+  #Equals
+    listElementsAreUsize ( [ CSV ] )
+  }
+#And
+  {
+    true
+  #Equals
+    maxMapKey ( u ( ActionLastIndex1 ) , keysMap ( 'QuesUnds'Remainder1 ) )
+  }
+#And
+  {
+    true
+  #Equals
+    maxMapKey ( u ( ActionLastIndex1 ) , keysMap ( 'QuesUnds'Remainder2 ) )
+  }
+#And
+  {
+    true
+  #Equals
+    u ( V ) in_keys ( UserIdToAddress )
+  }
+#And
+  {
+    true
+  #Equals
+    unusedIdsInMapKeys ( ActionLastIndex1 +Int 2 , keysMap ( 'QuesUnds'Remainder1 ) , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    unusedIdsInMapKeys ( ActionLastIndex1 +Int 2 , keysMap ( 'QuesUnds'Remainder2 ) , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    unusedIdsInMapKeys ( NumUsers0 +Int 2 , keysMap ( 'QuesUnds'Remainder0 ) , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    unusedIdsInMapKeys ( NumUsers0 +Int 2 , keysMap ( UserIdToAddress ) , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    unusedIdsInMapValues ( NumUsers0 +Int 1 , 'QuesUnds'Remainder , expanded )
+  }
+#And
+  {
+    true
+  #Equals
+    userIdToRoleInvariant ( 'QuesUnds'Remainder0 )
+  }
+#And
+  {
+    true
+  #Equals
+    valueNotInMapValues ( u ( NumUsers0 +Int 1 ) , 'QuesUnds'Remainder )
+  }
+#And
+  {
+    true
+  #Equals
+    valueNotInMapValues ( u ( NumUsers0 +Int 2 ) , 'QuesUnds'Remainder )
+  }
+#And
+  {
+    true
+  #Equals
+    valueNotInMapValues ( u ( V ) , 'QuesUnds'Remainder )
+  }
+*/
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-with-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-with-quorum.k
new file mode 100644
index 000000000..41de93ab9
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum-with-quorum.k
@@ -0,0 +1,71 @@
+//@ proof
+require "../functions/trusted-perform-action-endpoint-change-quorum.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-CHANGE-QUORUM-WITH-QUORUM
+  imports TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-CHANGE-QUORUM-WITH-QUORUM
+//@ end
+
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> change-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
+          invariantStateFull(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              u(NumBoardMembers:Int),
+              NumProposers:Usize,
+              (CallerId |-> Role:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(OldQuorum:Int),
+              ActionLastIndex:Usize,
+              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
+                  ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              Stack:Stack,
+              .Map,
+              PerformedActions:List
+              )
+        </TT></T>
+      =>
+        <T><TT>
+          <k> evaluate(void) ~> K:K </k>
+          invariantStateFull(
+              NumUsers,
+              UserIdToAddress,
+              AddressToUserId,
+              u(NumBoardMembers),
+              NumProposers,
+              UserIdToRole,
+              u(NewQuorum),
+              ActionLastIndex,
+              ActionData,
+              ActionSigners[ActionId <- undef],
+              CallerAddress,
+              Stack,
+              ?_Variables:Map,
+              ListItem(Action) PerformedActions
+              )
+        </TT></T>
+    requires true
+        // perform-from-id
+        andBool isKResult(Action)
+        andBool NewQuorum <=Int NumBoardMembers
+
+        // perform-fragment
+        andBool actionSignersInvariant(ActionSigners)
+        andBool userIdToRoleInvariant(UserIdToRole)
+        andBool (Role ==K BoardMember orBool Role ==K Proposer)
+        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures true
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
index 284e8f945..6c10cbbbc 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-change-quorum.k
@@ -1,69 +1,98 @@
 //@ proof
-require "../functions/trusted-perform-action-endpoint-change-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-change-quorum-no-quorum.k"  //@ Bazel remove
+require "trusted-perform-parts-change-quorum-with-quorum.k"  //@ Bazel remove
 
 module PROOF-PERFORM-PARTS-CHANGE-QUORUM
-  imports TRUSTED-PERFORM-ACTION-ENDPOINT-CHANGE-QUORUM
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-CHANGE-QUORUM-NO-QUORUM
+  imports TRUSTED-PERFORM-PARTS-CHANGE-QUORUM-WITH-QUORUM
 //@ trusted
 // module TRUSTED-PERFORM-PARTS-CHANGE-QUORUM
 //@ end
-
   imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
 
   claim <T><TT>
-          <k> change-quorum.k ~> call(performActionEndpoint(ActionId:Usize)) ~> K:K </k>
-          invariantStateFull(
+          <k> splitPerformActionEndpoint4(ChangeQuorum(_NewQuorum:Usize) #as Action:Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
               NumUsers:Usize,
               UserIdToAddress:Map,
-              (CallerAddress |-> CallerId:Usize
-                  _AddressToUserId:Map
-              ) #as AddressToUserId:Map,
-              u(NumBoardMembers:Int),
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
               NumProposers:Usize,
-              (CallerId |-> Role:UserRole
-                  _UserIdToRole:Map
-              ) #as UserIdToRole:Map,
-              u(OldQuorum:Int),
-              ActionLastIndex:Usize,
-              ActionId |-> ChangeQuorum(u(NewQuorum:Int)) #as Action:Action
-                  ActionData:Map,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action _ActionData:Map) #as ActionData:Map,
               ActionSigners:Map,
               CallerAddress:Address,
-              Stack:Stack,
-              .Map,
-              PerformedActions:List
-              )
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
-          <k> evaluate(void) ~> K:K </k>
-          invariantStateFull(
-              NumUsers,
-              UserIdToAddress,
-              AddressToUserId,
-              u(NumBoardMembers),
-              NumProposers,
-              UserIdToRole,
-              u(NewQuorum),
-              ActionLastIndex,
-              ActionData,
-              ActionSigners[ActionId <- undef],
-              CallerAddress,
-              Stack,
-              ?_Variables:Map,
-              ListItem(Action) PerformedActions
-              )
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
         </TT></T>
     requires true
-        // perform-from-id
-        andBool isKResult(Action)
-        andBool NewQuorum <=Int NumBoardMembers
-
-        // perform-fragment
-        andBool actionSignersInvariant(ActionSigners)
-        andBool userIdToRoleInvariant(UserIdToRole)
-        andBool (Role ==K BoardMember orBool Role ==K Proposer)
-        andBool OldQuorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
-    ensures true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
     //@ proof
     //@ trusted
     // [trusted]
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-eq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-eq.k
new file mode 100644
index 000000000..787fac588
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-eq.k
@@ -0,0 +1,104 @@
+//@ proof
+require "trusted-perform-parts-remove-user-BoardMember-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-BoardMember-too-few-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-Proposer-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-Proposer-nobody-left-eq.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-EQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-EQ
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW-EQ
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-EQ
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT-EQ
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-EQ
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitRemoveUser1(CallerAddress:Address)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> RemoveUser(CallerAddress:Address) _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-neq.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-neq.k
new file mode 100644
index 000000000..0a3624a87
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user-neq.k
@@ -0,0 +1,111 @@
+//@ proof
+require "trusted-perform-parts-remove-user-BoardMember.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-BoardMember-too-few.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-Proposer.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-Proposer-nobody-left.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER-NEQ
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-BOARDMEMBER-TOO-FEW
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-PROPOSER-NOBODY-LEFT
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER-NEQ
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitRemoveUser3(UserAddress:Address)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize
+                  UserAddress |-> u(UserId:Int)
+                  _AddressToUserId:Map
+              ) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole
+                  _UserIdToRole:Map
+              ) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> RemoveUser(UserAddress:Address) _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+        andBool notBool UserAddress ==K CallerAddress
+        andBool u(UserId) in_keys(UserIdToRole)
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user.k b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user.k
new file mode 100644
index 000000000..3f8f944a6
--- /dev/null
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-parts-remove-user.k
@@ -0,0 +1,104 @@
+//@ proof
+require "trusted-perform-parts-remove-user-eq.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-neq.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-New.k"  //@ Bazel remove
+require "trusted-perform-parts-remove-user-None.k"  //@ Bazel remove
+
+module PROOF-PERFORM-PARTS-REMOVE-USER
+  imports INVARIANT-EXECUTION
+
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-EQ
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-NEQ
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-NEW
+  imports TRUSTED-PERFORM-PARTS-REMOVE-USER-NONE
+//@ trusted
+// module TRUSTED-PERFORM-PARTS-REMOVE-USER
+//@ end
+  imports PERFORM-ACTION-ENDPOINT-INSTRUMENTATION
+
+  claim <T><TT>
+          <k> splitPerformActionEndpoint4(RemoveUser(_UserAddress:Address) #as Action:Action)
+              ~> call(performActionEndpoint(ActionId:Usize))
+              ~> popContext
+              ~> evaluateReturnValue
+              ~> clearExternalCallEnv
+              ~> splitActionSigners(ActionId:Usize, ActionSigners:Map)
+              ~> runExternalCalls(EC:ExternalCommands)
+          </k>
+          invariantStateStack(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              (CallerAddress |-> CallerId:Usize _AddressToUserId:Map) #as AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              (CallerId |-> CallerRole:UserRole _UserIdToRole:Map) #as UserIdToRole:Map,
+              u(Quorum:Int),
+              ActionLastIndex0:Usize,
+              (ActionId |-> Action _ActionData:Map) #as ActionData:Map,
+              ActionSigners:Map,
+              CallerAddress:Address,
+              stack(
+                  invariantMultisigState(
+                      NumUsers,
+                      UserIdToAddress,
+                      AddressToUserId,
+                      NumBoardMembers,
+                      NumProposers,
+                      UserIdToRole,
+                      u(Quorum),
+                      ActionLastIndex0,
+                      ActionData,
+                      ActionSigners),
+                  .Map,
+                  PerformedActions,
+                  .stack),
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> runExternalCalls(EC) </k>
+          invariantState(
+              ?NumUsers1:Usize,
+              ?UserIdToAddress1:Map,
+              ?AddressToUserId1:Map,
+              ?NumBoardMembers1:Usize,
+              ?NumProposers1:Usize,
+              ?UserIdToRole1:Map,
+              ?Quorum1:Usize,
+              ?ActionLastIndex1:Usize,
+              ?ActionData1:Map,
+              ?ActionSigners1:Map,
+              ?_PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool invariant(
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserIdToRole,
+            u(Quorum),
+            ActionLastIndex0,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+        andBool (CallerRole ==K BoardMember orBool CallerRole ==K Proposer)
+        andBool Quorum <=Int countCanSignFunction({ActionSigners[ActionId] orDefault [.]}:>ExpressionList, opaque(UserIdToRole))
+    ensures invariant(
+        ?NumUsers1,
+        ?UserIdToAddress1,
+        ?AddressToUserId1,
+        ?NumBoardMembers1,
+        ?NumProposers1,
+        ?UserIdToRole1,
+        ?Quorum1,
+        ?ActionLastIndex1,
+        ?ActionData1,
+        ?ActionSigners1,
+        usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule
diff --git a/multisig/protocol-correctness/proof/malicious-user/BUILD b/multisig/protocol-correctness/proof/malicious-user/BUILD
new file mode 100644
index 000000000..87f06571b
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/BUILD
@@ -0,0 +1,12 @@
+load("//:proof.bzl", "kompile", "klibrary")
+
+kompile(
+  name = "malicious-user-execute",
+  srcs = ["malicious-user-execute.k"],
+  deps = [
+      "//protocol-correctness/proof:execution-proof-files",
+      "//protocol-correctness/proof/invariant:invariant-execution-files",
+      # "//protocol-correctness/proof/functions:functions-execute-files",
+  ],
+  visibility = ["//visibility:public"],
+)
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
index 1ca648cd8..eb836bf83 100644
--- a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
@@ -1,15 +1,101 @@
-require "../execution-proof.k"
-require "../invariant/invariant-execution.k"
+require "protocol-correctness/proof/execution-proof.k"
+require "protocol-correctness/proof/invariant/invariant-execution.k"
 
 module MALICIOUS-USER-EXECUTE-SYNTAX
   imports EXECUTION-PROOF-SYNTAX
 endmodule
 
+module MALICIOUS-USER-INVARIANT-FUNCTIONS
+  imports MAP
+  imports PSEUDOCODE-SYNTAX
+
+  syntax Bool ::= onlyThisSigner(addressToUserId:Map, Address, actionSigners:Map)
+      [function, functional]
+
+  rule  onlyThisSigner(
+            _AddressToUserId:Map,
+            _Address:Address,
+            .Map)
+      => true
+  rule  onlyThisSigner(
+            AddressToUserId:Map,
+            Address:Address,
+            _Key |-> Signers ActionSigners:Map)
+      =>
+        #if Address in_keys(AddressToUserId)
+        #then oneElementList(AddressToUserId[Address] orDefault void, Signers)
+        #else false
+        #fi
+        andBool onlyThisSigner(AddressToUserId, Address, ActionSigners)
+    [simplification]
+
+  syntax Bool ::= oneElementList(element:KItem, ExpressionList) [function, functional]
+  rule oneElementList(E:Expression, [E, .]) => true
+  rule oneElementList(_, _) => false [owise]
+endmodule
+
+module MALICIOUS-USER-INVARIANT
+  imports INVARIANT
+  imports MALICIOUS-USER-INVARIANT-FUNCTIONS
+
+  syntax Bool ::= maliciousInvariant(
+            maliciousAddress:Address,
+            numUsers:Usize,
+            initialUserIdToAddress:Map,
+            currentUserIdToAddress:Map,
+            initinalAddressToUserId:Map,
+            currentAddressToUserId:Map,
+            numBoardMembers:Usize,
+            numProposers:Usize,
+            userRoles:Map,
+            quorum:Usize,
+            actionLastIndex:Usize,
+            actionData:Map,
+            actionSigners:Map,
+            PropertyHandling)
+      [function, functional]
+
+  rule  maliciousInvariant(
+            MaliciousAddress:Address,
+            NumUsers:Usize,
+            InitialUserIdToAddress:Map,
+            CurrentUserIdToAddress:Map,
+            InitialAddressToUserId:Map,
+            CurrentAddressToUserId:Map,
+            NumBoardMembers:Usize,
+            NumProposers:Usize,
+            UserRoles:Map,
+            u(Quorum:Int),
+            ActionLastIndex:Usize,
+            ActionData:Map,
+            ActionSigners:Map,
+            Handling:PropertyHandling)
+      => true
+        andBool invariant(
+            NumUsers,
+            CurrentUserIdToAddress,
+            CurrentAddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            u(Quorum),
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            Handling)
+        andBool mapIncluded(InitialUserIdToAddress, CurrentUserIdToAddress)
+        andBool mapIncluded(InitialAddressToUserId, CurrentAddressToUserId)
+        andBool onlyThisSigner(CurrentAddressToUserId, MaliciousAddress, ActionSigners)
+        andBool Quorum >=Int 2
+endmodule
+
+
 module MALICIOUS-USER-HELPERS
+  imports PSEUDOCODE-SYNTAX
 
   syntax KItem ::= runExternalCallsFromUser(Address, steps:Int)
 
-  rule runExternalCallsFromUser(A:Address, Steps:Int) => .K
+  rule runExternalCallsFromUser(_:Address, Steps:Int) => .K
     requires Steps <=Int 0
   rule runExternalCallsFromUser(A:Address, Steps:Int)
       => runExternalCallFromUser(A) ~> runExternalCallsFromUser(A, Steps -Int 1)
@@ -17,30 +103,44 @@ module MALICIOUS-USER-HELPERS
 
   syntax KItem ::= runExternalCallFromUser(Address)
 
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeAddBoardMember(U:Usize))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeAddProposer(U:Usize))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeRemoveUser(U:Usize))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeChangeQuorum(Quorum:Usize))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSendEgld(To:Address, Amount:BigUint, Data:BoxedBytes))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSCDeploy(
-          Amount:BigUint,
-          Code:BoxedBytes,
-          Upgradeable:Bool,
-          Payable:Bool,
-          Readable:Bool,
-          Args:ExpressionList))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run proposeSCCall(
-          To:Address,
-          Amount:BigUint,
-          Function:BoxedBytes,
-          Args:ExpressionList))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run sign(A:ActionId))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run unsign(A:ActionId))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run performActionEndpoint(A:ActionId))
-  rule runExternalCallFromUser(A:Address) => runExternalCall(from A run discardAction(A:ActionId))
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeAddBoardMember(?_UserAddress:Address);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeAddProposer(?_UserAddress:Address);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeRemoveUser(?_UserAddress:Address);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeChangeQuorum(?_Quorum:Usize);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeSendEgld(
+            ?_To:Address, ?_Amount:BigUint, ?_Data:BoxedBytes);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeSCDeploy(
+            ?_Amount:BigUint,
+            ?_Code:BoxedBytes,
+            ?_Upgradeable:Bool,
+            ?_Payable:Bool,
+            ?_Readable:Bool,
+            ?_Args:ExpressionList);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run proposeSCCall(
+            ?_To:Address,
+            ?_Amount:BigUint,
+            ?_Function:BoxedBytes,
+            ?_Args:ExpressionList);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run sign(?_ActionId:Usize);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run unsign(?_ActionId:Usize);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run performActionEndpoint(?_ActionId:Usize);)
+  rule  runExternalCallFromUser(A:Address)
+        => runExternalCall(from A run discardAction(?_ActionId:Usize);)
 endmodule
 
 module MALICIOUS-USER-EXECUTE
   imports EXECUTION-PROOF
   imports INVARIANT-EXECUTION
+  imports MALICIOUS-USER-INVARIANT
+  imports MALICIOUS-USER-HELPERS
 endmodule
\ No newline at end of file
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
index 635fc0bcd..774a5f0db 100644
--- a/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user.mak
@@ -1,8 +1,7 @@
 MALICIOUS_USER_OUT_PREFIX=out/malicious-user.
 
-MALICIOUS_USER_ALL := $(wildcard $(MALICIOUS_USER_DIR)/*.k)
-MALICIOUS_USER_PROOFS := $(wildcard $(MALICIOUS_USER_DIR)/proof-*.k)
-MALICIOUS_USER_EXECUTION := $(filter-out $(MALICIOUS_USER_PROOFS), $(MALICIOUS_USER_ALL)) $(PROOF_EXECUTION) $(INVARIANT_EXECUTION)
+MALICIOUS_USER_PROOFS := $(wildcard $(MALICIOUS_USER_DIR)/proofs/*.k)
+MALICIOUS_USER_EXECUTION := $(wildcard $(MALICIOUS_USER_DIR)/*.k) $(PROOF_EXECUTION) $(INVARIANT_EXECUTION)
 
 MALICIOUS_USER_PROOF_TIMESTAMPS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.timestamp}))
 MALICIOUS_USER_PROOF_DEBUGGERS := $(addprefix $(MALICIOUS_USER_OUT_PREFIX),$(notdir ${MALICIOUS_USER_PROOFS:.k=.debugger}))
@@ -13,7 +12,7 @@ $(MALICIOUS_USER_OUT_PREFIX)proof.timestamp: ${MALICIOUS_USER_PROOF_TIMESTAMPS}
 	$(DIR_GUARD)
 	@touch $(MALICIOUS_USER_OUT_PREFIX)proof.timestamp
 
-$(MALICIOUS_USER_OUT_PREFIX)proof-%.timestamp: ${MALICIOUS_USER_DIR}/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
+$(MALICIOUS_USER_OUT_PREFIX)proof-%.timestamp: ${MALICIOUS_USER_DIR}/proofs/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
 	$(DIR_GUARD)
 	@echo "Proving $*..."
 	@cat /proc/uptime | sed 's/\s.*//' > $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp
@@ -23,7 +22,7 @@ $(MALICIOUS_USER_OUT_PREFIX)proof-%.timestamp: ${MALICIOUS_USER_DIR}/proof-%.k $
 	@rm $(MALICIOUS_USER_OUT_PREFIX)proof-$*.duration.temp
 	@touch $(MALICIOUS_USER_OUT_PREFIX)proof-$*.timestamp
 
-$(MALICIOUS_USER_OUT_PREFIX)proof-%.debugger: ${MALICIOUS_USER_DIR}/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
+$(MALICIOUS_USER_OUT_PREFIX)proof-%.debugger: ${MALICIOUS_USER_DIR}/proofs/proof-%.k $(MALICIOUS_USER_OUT_PREFIX)execution.timestamp
 	$(DIR_GUARD)
 	@echo "Debugging $*..."
 	@kprove $< --directory $(MALICIOUS_USER_DIR) --haskell-backend-command $(DEBUG_COMMAND)
diff --git a/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD b/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
new file mode 100644
index 000000000..765756928
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
@@ -0,0 +1,10 @@
+load("//:proof.bzl", "kprove_test", "ktrusted")
+
+kprove_test(
+  name = "proof-cannot-perform",
+  srcs = ["proof-cannot-perform.k"],
+  trusted = [
+  ],
+  semantics = "//protocol-correctness/proof/malicious-user:malicious-user-execute",
+  timeout = "eternal",
+)
diff --git a/multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k
similarity index 100%
rename from multisig/protocol-correctness/proof/malicious-user/proof-call-invariant.k
rename to multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k
diff --git a/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
similarity index 50%
rename from multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
rename to multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
index ba45872f9..841879a18 100644
--- a/multisig/protocol-correctness/proof/malicious-user/proof-cannot-perform.k
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
@@ -11,15 +11,15 @@ module PROOF-CANNOT-PERFORM
               NumBoardMembers:Usize,
               NumProposers:Usize,
               UserRoles:Map,
-              Quorum:Usize,
-              ActionLastIndex0:Usize,
-              ActionId:Usize |-> Action:Action,
-              .Map,  // ActionSigners
+              u(Quorum:Int),
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
               PerformedActions:List)
         </TT></T>
       =>
         <T><TT>
-          <k> runExternalCalls(EC) </k>
+          <k> K </k>
           invariantState(
               NumUsers,
               ?UserIdToAddress:Map,
@@ -27,7 +27,7 @@ module PROOF-CANNOT-PERFORM
               NumBoardMembers,
               NumProposers,
               UserRoles,
-              Quorum,
+              u(Quorum),
               ?ActionLastIndex1:Usize,
               ?ActionData1:Map,
               ?ActionSigners1:Map,
@@ -35,19 +35,36 @@ module PROOF-CANNOT-PERFORM
         </TT></T>
     requires true
         andBool maliciousInvariant(
-            NumUsers:Usize,
-            UserIdToAddress:Map,
-            AddressToUserId:Map,
-            NumBoardMembers:Usize,
-            NumProposers:Usize,
-            UserRoles:Map,
-            Quorum:Usize,
-            ActionLastIndex0:Usize,
-            ActionData0:Map,
-            ActionSigners0:Map,
+            MaliciousAddress,
+            NumUsers,
+            UserIdToAddress,
+            UserIdToAddress,
+            AddressToUserId,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            u(Quorum),
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
             expand(expanded))
+
+        // andBool Quorum >=Int 2
     ensures true
-        andBool mapIncluded(AddressToUserId, ?AddressToUserId)
-        andBool mapIncluded(UserIdToAddress, ?UserIdToAddress)
-        andBool atMostOneSigner(?ActionSigners1)
+        andBool maliciousInvariant(
+            MaliciousAddress,
+            NumUsers,
+            UserIdToAddress,
+            ?UserIdToAddress,
+            AddressToUserId,
+            ?AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            u(Quorum),
+            ?ActionLastIndex,
+            ?ActionData,
+            ?ActionSigners,
+            usesExpanded)
 endmodule
diff --git a/multisig/protocol-correctness/pseudocode.k b/multisig/protocol-correctness/pseudocode.k
index 1a61f36c9..8fb1d8010 100644
--- a/multisig/protocol-correctness/pseudocode.k
+++ b/multisig/protocol-correctness/pseudocode.k
@@ -202,32 +202,32 @@ module PSEUDOCODE-TYPE-REFLECTION
   rule cast(just(K:KItem) => K, _:ReflectionType)
   */
 
-  rule cast(value(K:KItem) => K, _:ReflectionType)
+  rule cast(value(K:KItem) => K, _:ReflectionType)  [label(castValue)]
 
-  rule cast(U:Usize, rUsize) => U
+  rule cast(U:Usize, rUsize) => U  [label(castUsize)]
   rule (.K => stuck) ~> cast(V:KItem, rUsize)
     ensures notBool isUsize(V)
-    [owise]
+    [owise, label(castUsizeStuck)]
 
-  rule cast(U:UserRole, rUserRole) => U
+  rule cast(U:UserRole, rUserRole) => U  [label(castUserRole)]
   rule (.K => stuck) ~> cast(V:KItem, rUserRole)
     ensures notBool isUserRole(V)
-    [owise]
+    [owise, label(castUserRoleStuck)]
 
-  rule cast(V:ExpressionList, rExpressionList) => V
+  rule cast(V:ExpressionList, rExpressionList) => V  [label(castExpressionList)]
   rule (.K => stuck) ~> cast(V:KItem, rExpressionList)
     ensures notBool isExpressionList(V)
-    [owise]
+    [owise, label(castExpressionListStuck)]
 
-  rule cast(A:Action, rAction) => A
+  rule cast(A:Action, rAction) => A  [label(castAction)]
   rule (.K => stuck) ~> cast(V:KItem, rAction)
     ensures notBool isAction(V)
-    [owise]
+    [owise, label(castActionStuck)]
 
-  rule cast(A:Address, rAddress) => A
+  rule cast(A:Address, rAddress) => A  [label(castAddress)]
   rule (.K => stuck) ~> cast(V:KItem, rAddress)
     ensures notBool isAddress(V)
-    [owise]
+    [owise, label(castAddressStuck)]
 
   syntax KItem ::= defaultValue(ReflectionType)  [function, functional]
   rule defaultValue(rUsize) => u(0)
@@ -692,7 +692,6 @@ module PSEUDOCODE-FUNCTIONS
             require(quorumReached(ActionId));
             performActionFromId(ActionId);
       )
-    [label(xyzzy)]
 
   rule call(discardAction(ActionId:Usize))
         => runPseudoCode(
@@ -705,9 +704,9 @@ module PSEUDOCODE-FUNCTIONS
               ok(void);
         )
 
-  rule  call(userRoleCanPropose(None)) => false
-  rule  call(userRoleCanPropose(Proposer)) => true
-  rule  call(userRoleCanPropose(BoardMember)) => true
+  rule  call(userRoleCanPropose(None)) => false  [label(userRoleCanProposeNone)]
+  rule  call(userRoleCanPropose(Proposer)) => true  [label(userRoleCanProposeProposer)]
+  rule  call(userRoleCanPropose(BoardMember)) => true  [label(userRoleCanProposeBoardMember)]
 
   rule  call(userRoleCanSign(None)) => false
   rule  call(userRoleCanSign(Proposer)) => false
@@ -1166,9 +1165,11 @@ module MAP-UTILS
       =>  splitMap(K, M, ?_Value:KItem, ?_Remainder:Map)
           ~> #mapLookup(K, M)
     requires K in_keys(M)
+    [label(mapLookupInKeys)]
   rule mapLookup(K:KItem, M:Map)
       =>  nothing
     requires notBool K in_keys(M)
+    [label(mapLookupNotInKeys)]
   /*
   rule mapLookup(K:KItem, M:Map) => #mapLookup(K, splitMap(K, M, M))
   */

From 8fa8c13ae6a72773c94b1b7d90fd5ccdd23f4932 Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Mon, 26 Apr 2021 18:58:23 +0300
Subject: [PATCH 35/37] Debug labels

---
 .../proof/execution-proof.k                   | 32 ++++++++-----------
 1 file changed, 13 insertions(+), 19 deletions(-)

diff --git a/multisig/protocol-correctness/proof/execution-proof.k b/multisig/protocol-correctness/proof/execution-proof.k
index 8eff4d013..e40d4639f 100644
--- a/multisig/protocol-correctness/proof/execution-proof.k
+++ b/multisig/protocol-correctness/proof/execution-proof.k
@@ -13,21 +13,21 @@ module CONCRETIZE-INSTRUMENTATION
 
   syntax KItem ::= concretizeValue(KItem)
 
-  rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)
+  rule concretizeValue([CSV:ExpressionCSV]) => concretizeValue(CSV)  [label(concretizeValueCsv)]
 
-  rule concretizeValue(u(V:Int)) => concretizeValue(V)
+  rule concretizeValue(u(V:Int)) => concretizeValue(V)  [label(concretizeValueUsize)]
 
-  rule concretizeValue(address(V:Int)) => concretizeValue(V)
+  rule concretizeValue(address(V:Int)) => concretizeValue(V)  [label(concretizeValueAddress)]
 
-  rule concretizeValue(big(V:Int)) => concretizeValue(V)
+  rule concretizeValue(big(V:Int)) => concretizeValue(V)  [label(concretizeValueBig)]
 
-  rule concretizeValue(meta(V:Int)) => concretizeValue(V)
+  rule concretizeValue(meta(V:Int)) => concretizeValue(V)  [label(concretizeValueMeta)]
 
-  rule concretizeValue(bytes(V:String)) => concretizeValue(V)
+  rule concretizeValue(bytes(V:String)) => concretizeValue(V)  [label(concretizeValueBytes)]
 
-  rule concretizeValue(BoardMember) => .K
-  rule concretizeValue(Proposer) => .K
-  rule concretizeValue(None) => .K
+  rule concretizeValue(BoardMember) => .K  [label(concretizeValueBoardMember)]
+  rule concretizeValue(Proposer) => .K  [label(concretizeValueProposer)]
+  rule concretizeValue(None) => .K  [label(concretizeValueNone)]
 
   rule concretizeValue(_) => .K [priority(200)]
 
@@ -127,19 +127,13 @@ module PROOF-INSTRUMENTATION
 
   imports CONCRETIZE-INSTRUMENTATION
 
-  syntax KItem ::= splitEquality(KItem, KItem)
-  rule splitEquality(A:KItem, B:KItem) => .K
-    requires A ==K B
-  rule splitEquality(A:KItem, B:KItem) => .K
-    requires notBool (A ==K B)
-
   syntax KItem ::= splitBoolean(Bool)
-  rule splitBoolean(true) => .K
-  rule splitBoolean(false) => .K
+  rule splitBoolean(true) => .K  [label(splitBooleanTrue)]
+  rule splitBoolean(false) => .K  [label(splitBooleanFalse)]
 
   syntax KItem ::= branchK(Bool, K, K)
-  rule branchK(true, K:K, _:K) => K
-  rule branchK(false, _:K, K:K) => K
+  rule branchK(true, K:K, _:K) => K  [label(branchKTrue)]
+  rule branchK(false, _:K, K:K) => K  [label(branchKFalse)]
 
 endmodule
 

From a3f579b1b17bddc2f53115be062e514ca8581c8e Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Mon, 26 Apr 2021 18:59:11 +0300
Subject: [PATCH 36/37] Propose add board member

---
 multisig/kompile_tool/kprove.sh               | 10 ++-
 .../proof/functions/BUILD                     | 22 +++--
 .../proof/invariant/BUILD                     | 23 +++++-
 .../invariant/proof-perform-action-endpoint.k |  4 +-
 .../proof-propose-add-board-member.k          | 10 +--
 .../malicious-user/malicious-user-execute.k   | 12 +--
 .../proof/malicious-user/proofs/BUILD         | 41 ++++++++++
 .../proofs/proof-call-invariant.k             | 39 ++++++---
 .../proofs/proof-cannot-perform.k             | 31 ++++---
 .../proofs/proof-propose-add-board-member.k   | 81 +++++++++++++++++++
 10 files changed, 230 insertions(+), 43 deletions(-)
 create mode 100644 multisig/protocol-correctness/proof/malicious-user/proofs/proof-propose-add-board-member.k

diff --git a/multisig/kompile_tool/kprove.sh b/multisig/kompile_tool/kprove.sh
index 471e21fd4..63a9ed0d4 100755
--- a/multisig/kompile_tool/kprove.sh
+++ b/multisig/kompile_tool/kprove.sh
@@ -2,9 +2,9 @@
 
 set -e
 
-PARENT_DIR=`dirname $0`
+PARENT_DIR=$(dirname $0)
 
-KOMPILE_DIR=`dirname $1`
+KOMPILE_DIR=$(dirname $1)
 shift
 
 TMP_DIR=$(mktemp -d)
@@ -19,6 +19,8 @@ shift
 BREADTH=$1
 shift
 
+#KOMPILE_PARENT = $(dirname $KOMPILE_DIR)
+#
 MODULE_NAME=$(basename "$ORIGINAL_FILE" | sed 's/\.[^\.]*$//' | tr [:lower:] [:upper:])
 
 cp -rL $KOMPILE_DIR $TMP_DIR
@@ -29,6 +31,9 @@ KOMPILE_TOOL_DIR=kompile_tool
 KPROVE=$(realpath $KOMPILE_TOOL_DIR/k/bin/kprove)
 REPL_SCRIPT=$(realpath $KOMPILE_TOOL_DIR/kast.kscript)
 
+#PROOF_FILE_PATH=$(realpath $PROOF_FILE)
+#REPL_SCRIPT_PATH=$(realpath $REPL_SCRIPT)
+#
 KORE_EXEC="kore-exec --breadth $BREADTH"
 KORE_REPL="kore-repl --repl-script $REPL_SCRIPT"
 
@@ -45,6 +50,7 @@ else
 fi
 
 cd $TMP_DIR
+echo $TMP_DIR
 
 $KPROVE \
   --haskell-backend-command "$BACKEND_COMMAND --smt-timeout 4000" \
diff --git a/multisig/protocol-correctness/proof/functions/BUILD b/multisig/protocol-correctness/proof/functions/BUILD
index 29164934c..3f09e4d24 100644
--- a/multisig/protocol-correctness/proof/functions/BUILD
+++ b/multisig/protocol-correctness/proof/functions/BUILD
@@ -388,7 +388,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-no-quorum.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
   breadth = "6",
 )
 
@@ -397,7 +397,7 @@ kprove_test(
   srcs = ["proof-perform-action-endpoint-fragment-performs.k"],
   trusted = ["trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",
   breadth = "6",
 )
 
@@ -460,7 +460,7 @@ kprove_test(
   srcs = ["proof-perform-action-id-remove-user-New.k"],
   trusted = [":trusted-perform-action-remove-user-New"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",  # "moderate",
   breadth = "3",
 )
 
@@ -623,6 +623,7 @@ kprove_test(
   srcs = ["proof-perform-action-remove-user-None.k"],
   trusted = [":trusted-change-user-role-None"],
   semantics = ":functions-execute",
+  timeout = "moderate",  # "short",
 )
 
 kprove_test(
@@ -794,7 +795,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",  # "moderate",
   breadth = "2", 
 )
 
@@ -803,7 +804,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "moderate",
+  timeout = "long",  # "moderate",
   breadth = "2", 
 )
 
@@ -818,7 +819,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers-no-action.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",  # "long",
   breadth = "2", 
 )
 
@@ -827,7 +828,7 @@ kprove_test(
   srcs = ["proof-discard-action-no-valid-signers.k"],
   trusted = [":trusted-count-can-sign"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",  # "long",
   breadth = "2", 
 )
 
@@ -835,7 +836,7 @@ kprove_test(
   name = "proof-propose-action-BoardMember",
   srcs = ["proof-propose-action-BoardMember.k"],
   semantics = ":functions-execute",
-  timeout = "long",
+  timeout = "eternal",  # "long",
   breadth = "2",
 )
 
@@ -879,6 +880,7 @@ kprove_test(
       ":trusted-propose-sc-deploy-fragment",
   ],
   semantics = ":functions-execute",
+  timeout = "moderate",  # "short",
 )
 
 kprove_test(
@@ -1034,21 +1036,25 @@ ktrusted(
 ktrusted(
   name = "trusted-propose-action-BoardMember",
   srcs = ["proof-propose-action-BoardMember.k"],
+  visibility = ["//visibility:public"],
 )
 
 ktrusted(
   name = "trusted-propose-action-Proposer",
   srcs = ["proof-propose-action-Proposer.k"],
+  visibility = ["//visibility:public"],
 )
 
 ktrusted(
   name = "trusted-propose-action-error-no-role",
   srcs = ["proof-propose-action-error-no-role.k"],
+  visibility = ["//visibility:public"],
 )
 
 ktrusted(
   name = "trusted-propose-action-error-no-user",
   srcs = ["proof-propose-action-error-no-user.k"],
+  visibility = ["//visibility:public"],
 )
 
 ktrusted(
diff --git a/multisig/protocol-correctness/proof/invariant/BUILD b/multisig/protocol-correctness/proof/invariant/BUILD
index b4374a00a..2d646a330 100644
--- a/multisig/protocol-correctness/proof/invariant/BUILD
+++ b/multisig/protocol-correctness/proof/invariant/BUILD
@@ -76,7 +76,8 @@ kprove_test(
   name = "proof-perform-action-endpoint",
   srcs = ["proof-perform-action-endpoint.k"],
   trusted = [
-      ":trusted-perform-parts-add-board-member",
+      ":trusted-perform-parts-1",
+      #":trusted-perform-parts-add-board-member",
       # ":trusted-perform-parts-add-proposer",
       # ":trusted-perform-parts-change-quorum-with-quorum",
       # ":trusted-perform-parts-change-quorum-no-quorum",
@@ -595,6 +596,20 @@ kprove_test(
   semantics = ":invariant-execution",
 )
 
+kprove_test(
+  name = "proof-propose-add-board-member",
+  srcs = ["proof-propose-add-board-member.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-propose-action-BoardMember",
+      "//protocol-correctness/proof/functions:trusted-propose-action-Proposer",
+      "//protocol-correctness/proof/functions:trusted-propose-action-error-no-user",
+      "//protocol-correctness/proof/functions:trusted-propose-action-error-no-role",
+  ],
+  semantics = ":invariant-execution",
+  timeout = "eternal",
+  breadth = "4" # 0
+)
+
 ktrusted(
   name = "trusted-perform-parts-add-board-member-boardmember-eq",
   srcs = ["proof-perform-parts-add-board-member-boardmember-eq.k"],
@@ -871,3 +886,9 @@ ktrusted(
   visibility = ["//visibility:public"],
 )
 
+ktrusted(
+  name = "trusted-perform-parts-1",
+  srcs = ["proof-perform-parts-1.k"],
+  visibility = ["//visibility:public"],
+)
+
diff --git a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
index 51fc333a3..a96a53fa6 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-perform-action-endpoint.k
@@ -1,10 +1,10 @@
 //@ proof
-require "trusted-perform-parts-add-board-member.k"  //@ Bazel remove
+require "trusted-perform-parts-1.k"  //@ Bazel remove
 
 module PROOF-PERFORM-ACTION-ENDPOINT
   imports INVARIANT-EXECUTION
 
-  imports TRUSTED-PERFORM-PARTS-ADD-BOARD-MEMBER
+  imports TRUSTED-PERFORM-PARTS-1
 //@ trusted
 // module TRUSTED-PERFORM-ACTION-ENDPOINT
 //@ end
diff --git a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
index 61b08439f..7bd8c4d17 100644
--- a/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
+++ b/multisig/protocol-correctness/proof/invariant/proof-propose-add-board-member.k
@@ -1,9 +1,9 @@
-require "../functions/functions-execute.k"
+require "../functions/functions-execute.k"  //@ Bazel remove
 
-require "../functions/trusted-propose-action-BoardMember.k"
-require "../functions/trusted-propose-action-Proposer.k"
-require "../functions/trusted-propose-action-error-no-user.k"
-require "../functions/trusted-propose-action-error-no-role.k"
+require "../functions/trusted-propose-action-BoardMember.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-Proposer.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-error-no-user.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-error-no-role.k"  //@ Bazel remove
 
 module PROOF-PROPOSE-ADD-BOARD-MEMBER
   imports INVARIANT-EXECUTION
diff --git a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
index eb836bf83..706ec275e 100644
--- a/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
+++ b/multisig/protocol-correctness/proof/malicious-user/malicious-user-execute.k
@@ -41,9 +41,9 @@ module MALICIOUS-USER-INVARIANT
   syntax Bool ::= maliciousInvariant(
             maliciousAddress:Address,
             numUsers:Usize,
-            initialUserIdToAddress:Map,
+            // initialUserIdToAddress:Map,
             currentUserIdToAddress:Map,
-            initinalAddressToUserId:Map,
+            // initialAddressToUserId:Map,
             currentAddressToUserId:Map,
             numBoardMembers:Usize,
             numProposers:Usize,
@@ -58,9 +58,9 @@ module MALICIOUS-USER-INVARIANT
   rule  maliciousInvariant(
             MaliciousAddress:Address,
             NumUsers:Usize,
-            InitialUserIdToAddress:Map,
+            // InitialUserIdToAddress:Map,
             CurrentUserIdToAddress:Map,
-            InitialAddressToUserId:Map,
+            // InitialAddressToUserId:Map,
             CurrentAddressToUserId:Map,
             NumBoardMembers:Usize,
             NumProposers:Usize,
@@ -83,8 +83,8 @@ module MALICIOUS-USER-INVARIANT
             ActionData,
             ActionSigners,
             Handling)
-        andBool mapIncluded(InitialUserIdToAddress, CurrentUserIdToAddress)
-        andBool mapIncluded(InitialAddressToUserId, CurrentAddressToUserId)
+        // andBool mapIncluded(InitialUserIdToAddress, CurrentUserIdToAddress)
+        // andBool mapIncluded(InitialAddressToUserId, CurrentAddressToUserId)
         andBool onlyThisSigner(CurrentAddressToUserId, MaliciousAddress, ActionSigners)
         andBool Quorum >=Int 2
 endmodule
diff --git a/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD b/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
index 765756928..8fcecf690 100644
--- a/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/BUILD
@@ -4,7 +4,48 @@ kprove_test(
   name = "proof-cannot-perform",
   srcs = ["proof-cannot-perform.k"],
   trusted = [
+      ":trusted-call-invariant",
+  ],
+  semantics = "//protocol-correctness/proof/malicious-user:malicious-user-execute",
+  timeout = "moderate",
+  breadth = "2",
+  # depth = "5"
+)
+
+kprove_test(
+  name = "proof-call-invariant",
+  srcs = ["proof-call-invariant.k"],
+  trusted = [
+      ":trusted-propose-add-board-member",
+  ],
+  semantics = "//protocol-correctness/proof/malicious-user:malicious-user-execute",
+  timeout = "eternal",
+)
+
+kprove_test(
+  name = "proof-propose-add-board-member",
+  srcs = ["proof-propose-add-board-member.k"],
+  trusted = [
+      "//protocol-correctness/proof/functions:trusted-propose-action-BoardMember",
+      "//protocol-correctness/proof/functions:trusted-propose-action-Proposer",
+      "//protocol-correctness/proof/functions:trusted-propose-action-error-no-user",
+      "//protocol-correctness/proof/functions:trusted-propose-action-error-no-role",
   ],
   semantics = "//protocol-correctness/proof/malicious-user:malicious-user-execute",
   timeout = "eternal",
+  breadth = "6",
+  # depth = ~37
 )
+
+ktrusted(
+  name = "trusted-call-invariant",
+  srcs = ["proof-call-invariant.k"],
+  visibility = ["//visibility:public"],
+)
+
+ktrusted(
+  name = "trusted-propose-add-board-member",
+  srcs = ["proof-propose-add-board-member.k"],
+  visibility = ["//visibility:public"],
+)
+
diff --git a/multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k
index 226d53c29..3130fac45 100644
--- a/multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-call-invariant.k
@@ -1,9 +1,19 @@
+//@ proof
+require "trusted-propose-add-board-member.k"  //@ Bazel remove
+
 module PROOF-CALL-INVARIANT
+  imports TRUSTED-PROPOSE-ADD-BOARD-MEMBER
+//@ trusted
+// module TRUSTED-CALL-INVARIANT
+//@ end
   imports MALICIOUS-USER-EXECUTE
   imports PSEUDOCODE
 
   claim <T><TT>
-          <k> runExternalCallFromUser(MaliciousAddress:Address) ~> K:K </k>
+          <k> runExternalCallFromUser(MaliciousAddress:Address)
+              ~> runExternalCallsFromUser(MaliciousAddress:Address, Count:Int)
+              ~> K:K
+          </k>
           invariantState(
               NumUsers:Usize,
               UserIdToAddress:Map,
@@ -19,16 +29,18 @@ module PROOF-CALL-INVARIANT
         </TT></T>
       =>
         <T><TT>
-          <k> runExternalCalls(EC) </k>
+          <k> runExternalCallsFromUser(MaliciousAddress:Address, Count:Int)
+              ~> K:K
+          </k>
           invariantState(
               NumUsers,
-              ?UserIdToAddress:Map,
-              ?AddressToUserId:Map,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
               NumBoardMembers,
               NumProposers,
               UserRoles,
               Quorum,
-              ?ActionLastIndex:Usize,
+              u(?ActionLastIndex:Int),
               ?ActionData:Map,
               ?ActionSigners:Map,
               PerformedActions:List):StateCell
@@ -51,14 +63,23 @@ module PROOF-CALL-INVARIANT
         andBool maliciousInvariant(
             MaliciousAddress,
             NumUsers,
-            ?UserIdToAddress,
-            ?AddressToUserId,
+            UserIdToAddress,
+            AddressToUserId,
             NumBoardMembers,
             NumProposers,
             UserRoles,
             Quorum,
-            ?ActionLastIndex,
+            u(?ActionLastIndex),
             ?ActionData,
             ?ActionSigners,
-            usesExpanded)
+            //@ proof
+            usesExpanded
+            //@ trusted
+            // expand(expanded)
+            //@ end
+            )
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
index 841879a18..b1d949058 100644
--- a/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-cannot-perform.k
@@ -1,4 +1,11 @@
+//@ proof
+require "trusted-call-invariant.k"  //@ Bazel remove
+
 module PROOF-CANNOT-PERFORM
+  imports TRUSTED-CALL-INVARIANT
+//@ trusted
+// module TRUSTED-CANNOT-PERFORM
+//@ end
   imports MALICIOUS-USER-EXECUTE
   imports PSEUDOCODE
 
@@ -22,24 +29,24 @@ module PROOF-CANNOT-PERFORM
           <k> K </k>
           invariantState(
               NumUsers,
-              ?UserIdToAddress:Map,
-              ?AddressToUserId:Map,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
               NumBoardMembers,
               NumProposers,
               UserRoles,
               u(Quorum),
-              ?ActionLastIndex1:Usize,
-              ?ActionData1:Map,
-              ?ActionSigners1:Map,
+              u(?ActionLastIndex:Int),
+              ?ActionData:Map,
+              ?ActionSigners:Map,
               PerformedActions:List):StateCell
         </TT></T>
     requires true
         andBool maliciousInvariant(
             MaliciousAddress,
             NumUsers,
+            // UserIdToAddress,
             UserIdToAddress,
-            UserIdToAddress,
-            AddressToUserId,
+            // AddressToUserId,
             AddressToUserId,
             NumBoardMembers,
             NumProposers,
@@ -56,15 +63,19 @@ module PROOF-CANNOT-PERFORM
             MaliciousAddress,
             NumUsers,
             UserIdToAddress,
-            ?UserIdToAddress,
+            // ?UserIdToAddress,
             AddressToUserId,
-            ?AddressToUserId,
+            // ?AddressToUserId,
             NumBoardMembers,
             NumProposers,
             UserRoles,
             u(Quorum),
-            ?ActionLastIndex,
+            u(?ActionLastIndex),
             ?ActionData,
             ?ActionSigners,
             usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
 endmodule
diff --git a/multisig/protocol-correctness/proof/malicious-user/proofs/proof-propose-add-board-member.k b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-propose-add-board-member.k
new file mode 100644
index 000000000..3448b9f13
--- /dev/null
+++ b/multisig/protocol-correctness/proof/malicious-user/proofs/proof-propose-add-board-member.k
@@ -0,0 +1,81 @@
+//@ proof
+require "../functions/trusted-propose-action-BoardMember.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-Proposer.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-error-no-user.k"  //@ Bazel remove
+require "../functions/trusted-propose-action-error-no-role.k"  //@ Bazel remove
+
+module PROOF-PROPOSE-ADD-BOARD-MEMBER
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-ROLE
+  imports TRUSTED-PROPOSE-ACTION-ERROR-NO-USER
+  imports TRUSTED-PROPOSE-ACTION-BOARDMEMBER
+  imports TRUSTED-PROPOSE-ACTION-PROPOSER
+//@ trusted
+// module TRUSTED-PROPOSE-ADD-BOARD-MEMBER
+//@ end
+  imports MALICIOUS-USER-EXECUTE
+  imports PSEUDOCODE
+
+  claim <T><TT>
+          <k> runExternalCall(from MaliciousAddress run proposeAddBoardMember(_UserAddress:Address);) ~> K:K </k>
+          invariantState(
+              NumUsers:Usize,
+              UserIdToAddress:Map,
+              AddressToUserId:Map,
+              NumBoardMembers:Usize,
+              NumProposers:Usize,
+              UserRoles:Map,
+              Quorum:Usize,
+              ActionLastIndex:Usize,
+              ActionData:Map,
+              ActionSigners:Map,
+              PerformedActions:List)
+        </TT></T>
+      =>
+        <T><TT>
+          <k> K </k>
+          invariantState(
+              NumUsers,
+              ?UserIdToAddress:Map,
+              ?AddressToUserId:Map,
+              NumBoardMembers,
+              NumProposers,
+              UserRoles,
+              Quorum,
+              ?ActionLastIndex:Usize,
+              ?ActionData:Map,
+              ?ActionSigners:Map,
+              PerformedActions:List):StateCell
+        </TT></T>
+    requires true
+        andBool maliciousInvariant(
+            MaliciousAddress,
+            NumUsers,
+            UserIdToAddress,
+            AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ActionLastIndex,
+            ActionData,
+            ActionSigners,
+            expand(expanded))
+    ensures true
+        andBool maliciousInvariant(
+            MaliciousAddress,
+            NumUsers,
+            ?UserIdToAddress,
+            ?AddressToUserId,
+            NumBoardMembers,
+            NumProposers,
+            UserRoles,
+            Quorum,
+            ?ActionLastIndex,
+            ?ActionData,
+            ?ActionSigners,
+            usesExpanded)
+    //@ proof
+    //@ trusted
+    // [trusted]
+    //@ end
+endmodule

From f9c43fc959c9f4388e74e1dd733fd57d3389f6da Mon Sep 17 00:00:00 2001
From: Virgil Serbanuta <virgil.serbanuta>
Date: Tue, 27 Apr 2021 21:12:08 +0300
Subject: [PATCH 37/37] Improve compilation times.

---
 multisig/kompile_tool/kprove-kompile.sh       |  1 +
 .../protocol-correctness/proof/invariant.k    | 96 +++++++++----------
 2 files changed, 49 insertions(+), 48 deletions(-)

diff --git a/multisig/kompile_tool/kprove-kompile.sh b/multisig/kompile_tool/kprove-kompile.sh
index 274b4457e..36764022e 100755
--- a/multisig/kompile_tool/kprove-kompile.sh
+++ b/multisig/kompile_tool/kprove-kompile.sh
@@ -37,6 +37,7 @@ chmod -R a+w $TMP_DIR/*
 
 pushd $TMP_DIR > /dev/null
 
+nice -n 10 \
 $KPROVE \
   --spec-module "$MODULE_NAME" \
   --dry-run \
diff --git a/multisig/protocol-correctness/proof/invariant.k b/multisig/protocol-correctness/proof/invariant.k
index 824c6bb4a..13dbac42a 100644
--- a/multisig/protocol-correctness/proof/invariant.k
+++ b/multisig/protocol-correctness/proof/invariant.k
@@ -67,60 +67,60 @@ module INVARIANT
   imports INVARIANT-HELPERS
 
   syntax StateCell ::= invariantState(
-      numUsers:Usize,
-      userIdToAddress:Map,
-      addressToUserId:Map,
-      numBoardMembers:Usize,
-      numProposers:Usize,
-      userIdToRole:Map,
-      quorum:Usize,
-      actionLastIndex:Usize,
-      actionData:Map,
-      actionSigners:Map,
-      performedActions:List)  [function, functional]
+      /*numUsers:*/Usize,
+      /*userIdToAddress:*/Map,
+      /*addressToUserId:*/Map,
+      /*numBoardMembers:*/Usize,
+      /*numProposers:*/Usize,
+      /*userIdToRole:*/Map,
+      /*quorum:*/Usize,
+      /*actionLastIndex:*/Usize,
+      /*actionData:*/Map,
+      /*actionSigners:*/Map,
+      /*performedActions:*/List)  [function, functional]
 
   syntax MultisigStateCell ::= invariantMultisigState(
-      numUsers:Usize,
-      userIdToAddress:Map,
-      addressToUserId:Map,
-      numBoardMembers:Usize,
-      numProposers:Usize,
-      userIdToRole:Map,
-      quorum:Usize,
-      actionLastIndex:Usize,
-      actionData:Map,
-      actionSigners:Map)  [function, functional]
+      /*numUsers:*/Usize,
+      /*userIdToAddress:*/Map,
+      /*addressToUserId:*/Map,
+      /*numBoardMembers:*/Usize,
+      /*numProposers:*/Usize,
+      /*userIdToRole:*/Map,
+      /*quorum:*/Usize,
+      /*actionLastIndex:*/Usize,
+      /*actionData:*/Map,
+      /*actionSigners:*/Map)  [function, functional]
 
   syntax StateCell ::= invariantStateStack(
-      numUsers:Usize,
-      userIdToAddress:Map,
-      addressToUserId:Map,
-      numBoardMembers:Usize,
-      numProposers:Usize,
-      userIdToRole:Map,
-      quorum:Usize,
-      actionLastIndex:Usize,
-      actionData:Map,
-      actionSigners:Map,
-      callerAddress:KItem,
-      stack:Stack,
-      performedActions:List)  [function, functional]
+      /*numUsers:*/Usize,
+      /*userIdToAddress:*/Map,
+      /*addressToUserId:*/Map,
+      /*numBoardMembers:*/Usize,
+      /*numProposers:*/Usize,
+      /*userIdToRole:*/Map,
+      /*quorum:*/Usize,
+      /*actionLastIndex:*/Usize,
+      /*actionData:*/Map,
+      /*actionSigners:*/Map,
+      /*callerAddress:*/KItem,
+      /*stack:*/Stack,
+      /*performedActions:*/List)  [function, functional]
 
   syntax StateCell ::= invariantStateFull(
-      numUsers:Usize,
-      userIdToAddress:Map,
-      addressToUserId:Map,
-      numBoardMembers:Usize,
-      numProposers:Usize,
-      userIdToRole:Map,
-      quorum:Usize,
-      actionLastIndex:Usize,
-      actionData:Map,
-      actionSigners:Map,
-      callerAddress:KItem,
-      stack:Stack,
-      variables:Map,
-      performedActions:List)  [function, functional]
+      /*numUsers:*/Usize,
+      /*userIdToAddress:*/Map,
+      /*addressToUserId:*/Map,
+      /*numBoardMembers:*/Usize,
+      /*numProposers:*/Usize,
+      /*userIdToRole:*/Map,
+      /*quorum:*/Usize,
+      /*actionLastIndex:*/Usize,
+      /*actionData:*/Map,
+      /*actionSigners:*/Map,
+      /*callerAddress:*/KItem,
+      /*stack:*/Stack,
+      /*variables:*/Map,
+      /*performedActions:*/List)  [function, functional]
 
   rule invariantState(
       NumUsers:Usize,