RDMA offers low latency and high throughput but suffers from a weak memory model lacking formal foundations, hindering the construction of correct, composable multi-node concurrent objects. Method: We introduce LOCO—the first RDMA-native multi-node object library supporting formal verification—bridging shared-memory and distributed programming paradigms. To address RDMA consistency modeling challenges, we design Mowgli, a modular, declarative verification framework that decouples proof logic from the memory model and enables systematic correctness proofs leveraging locality properties. Contribution/Results: LOCO achieves performance comparable to custom RDMA systems while drastically simplifying the programming model. All core components are fully formally verified. LOCO provides a high-reliability, high-performance infrastructure foundation for data centers, HPC, and AI/ML workloads.

Remote Direct Memory Access (RDMA) is a memory technology that allows remote devices to directly write to and read from each other's memory, bypassing components such as the CPU and operating system. This enables low-latency high-throughput networking, as required for many modern data centres, HPC applications and AI/ML workloads. However, baseline RDMA comprises a highly permissive weak memory model that is difficult to use in practice and has only recently been formalised. In this paper, we introduce the Library of Composable Objects (LOCO), a formally verified library for building multi-node objects on RDMA, filling the gap between shared memory and distributed system programming. LOCO objects are well-encapsulated and take advantage of the strong locality and the weak consistency characteristics of RDMA. They have performance comparable to custom RDMA systems (e.g. distributed maps), but with a far simpler programming model amenable to formal proofs of correctness. To support verification, we develop a novel modular declarative verification framework, called Mowgli, that is flexible enough to model multinode objects and is independent of a memory consistency model. We instantiate Mowgli with the RDMA memory model, and use it to verify correctness of LOCO libraries.