GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 150edce57b
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
TimelockController.spec

TimelockController.spec 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324 
  1. methods {
    2. 

  2.     getTimestamp(bytes32) returns(uint256) envfree
    3. 

  3.     _DONE_TIMESTAMP() returns(uint256) envfree
    4. 

  4.     PROPOSER_ROLE() returns(bytes32) envfree
    5. 

  5.     _minDelay() returns(uint256) envfree
    6. 

  6.     getMinDelay() returns(uint256) envfree
    7. 

  7.     hashOperation(address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt) returns(bytes32) envfree
    8. 

  8.     isOperation(bytes32) returns(bool) envfree
    9. 

  9.     isOperationPending(bytes32) returns(bool) envfree
    10. 

  10.     isOperationDone(bytes32) returns(bool) envfree
    11. 

  11. 

  12.     isOperationReady(bytes32) returns(bool)
    13. 

  13.     cancel(bytes32)
    14. 

  14.     schedule(address, uint256, bytes, bytes32, bytes32, uint256)
    15. 

  15.     execute(address, uint256, bytes, bytes32, bytes32)
    16. 

  16. 		scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256)
    17. 

  17.     executeBatch(address[], uint256[], bytes[], bytes32, bytes32)
    18. 

  18.     _checkRole(bytes32) => DISPATCHER(true)
    19. 

  19. }
    20. 

  20. 

  21. 

  22. 

  23. ////////////////////////////////////////////////////////////////////////////
    24. 

  24. //                         Functions                                      //
    25. 

  25. ////////////////////////////////////////////////////////////////////////////
    26. 

  26. 

  27. 

  28. function hashIdCorrelation(bytes32 id, address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt){
    29. 

  29.     require data.length < 32;
    30. 

  30.     require hashOperation(target, value, data, predecessor, salt) == id;
    31. 

  31. }
    32. 

  32. 

  33. 

  34. 

  35. ////////////////////////////////////////////////////////////////////////////
    36. 

  36. //                         Invariants                                     //
    37. 

  37. ////////////////////////////////////////////////////////////////////////////
    38. 

  38. 

  39. 

  40. // STATUS - verified
    41. 

  41. // `isOperation()` correctness check
    42. 

  42. invariant operationCheck(bytes32 id)
    43. 

  43.     getTimestamp(id) > 0 <=> isOperation(id)
    44. 

  44. filtered { f -> !f.isView }
    45. 

  45. 

  46. // STATUS - verified
    47. 

  47. // `isOperationPending()` correctness check
    48. 

  48. invariant pendingCheck(bytes32 id)
    49. 

  49.     getTimestamp(id) > _DONE_TIMESTAMP() <=> isOperationPending(id)
    50. 

  50. filtered { f -> !f.isView }
    51. 

  51. 

  52. // STATUS - verified
    53. 

  53. // `isOperationReady()` correctness check
    54. 

  54. invariant readyCheck(env e, bytes32 id)
    55. 

  55.     (e.block.timestamp >= getTimestamp(id) && getTimestamp(id) > 1) <=> isOperationReady(e, id)
    56. 

  56. filtered { f -> !f.isView }
    57. 

  57. 

  58. // STATUS - verified
    59. 

  59. // `isOperationDone()` correctness check
    60. 

  60. invariant doneCheck(bytes32 id)
    61. 

  61.     getTimestamp(id) == _DONE_TIMESTAMP() <=> isOperationDone(id)
    62. 

  62. filtered { f -> !f.isView }
    63. 

  63. 

  64. 

  65. ////////////////////////////////////////////////////////////////////////////
    66. 

  66. //                            Rules                                       //
    67. 

  67. ////////////////////////////////////////////////////////////////////////////
    68. 

  68. 

  69. 

  70. /////////////////////////////////////////////////////////////
    71. 

  71. // STATE TRANSITIONS
    72. 

  72. /////////////////////////////////////////////////////////////
    73. 

  73. 

  74. 

  75. // STATUS - verified
    76. 

  76. // Possible transitions: form `!isOperation()` to `!isOperation()` or `isOperationPending()` only
    77. 

  77. rule unsetPendingTransitionGeneral(method f, env e){
    78. 

  78.     bytes32 id;
    79. 

  79. 

  80.     require !isOperation(id);
    81. 

  81.     require e.block.timestamp > 1;
    82. 

  82. 

  83.     calldataarg args;
    84. 

  84.     f(e, args);
    85. 

  85. 

  86.     assert isOperationPending(id) || !isOperation(id);
    87. 

  87. }
    88. 

  88. 

  89. 

  90. // STATUS - verified
    91. 

  91. // Possible transitions: form `!isOperation()` to `isOperationPending()` via `schedule()` and `scheduleBatch()` only
    92. 

  92. rule unsetPendingTransitionMethods(method f, env e){
    93. 

  93.     bytes32 id;
    94. 

  94. 

  95.     require !isOperation(id);
    96. 

  96. 

  97.     calldataarg args;
    98. 

  98.     f(e, args);
    99. 

  99. 

  100.     assert isOperationPending(id) => (f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector 
    101. 

  101.                                 || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector), "Why do we need to follow the schedule?";
    102. 

  102. }
    103. 

  103. 

  104. 

  105. // STATUS - verified
    106. 

  106. // Possible transitions: form `ready()` to `isOperationDone()` via `execute()` and `executeBatch()` only
    107. 

  107. rule readyDoneTransition(method f, env e){
    108. 

  108.     bytes32 id;
    109. 

  109. 

  110.     require isOperationReady(e, id);
    111. 

  111. 

  112.     calldataarg args;
    113. 

  113.     f(e, args);
    114. 

  114. 

  115.     assert isOperationDone(id) => f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector  
    116. 

  116.                                 || f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector , "It's not isOperationDone yet!";
    117. 

  117. }
    118. 

  118. 

  119. 

  120. // STATUS - verified
    121. 

  121. // isOperationPending() -> cancelled() via cancel() only
    122. 

  122. rule pendingCancelledTransition(method f, env e){
    123. 

  123.     bytes32 id;
    124. 

  124. 

  125.     require isOperationPending(id);
    126. 

  126. 

  127.     calldataarg args;
    128. 

  128.     f(e, args);
    129. 

  129. 

  130.     assert !isOperation(id) => f.selector == cancel(bytes32).selector, "How you dare to cancel me?";
    131. 

  131. }
    132. 

  132. 

  133. 

  134. // STATUS - verified
    135. 

  135. // isOperationDone() -> nowhere
    136. 

  136. rule doneToNothingTransition(method f, env e){
    137. 

  137.     bytes32 id;
    138. 

  138. 

  139.     require isOperationDone(id);
    140. 

  140. 

  141.     calldataarg args;
    142. 

  142.     f(e, args);
    143. 

  143. 

  144.     assert isOperationDone(id), "Did you find a way to escape? There is no way! HA-HA-HA";
    145. 

  145. }
    146. 

  146. 

  147. 

  148. 

  149. /////////////////////////////////////////////////////////////
    150. 

  150. // THE REST
    151. 

  151. /////////////////////////////////////////////////////////////
    152. 

  152. 

  153. 

  154. // STATUS - verified
    155. 

  155. // only TimelockController contract can change minDelay
    156. 

  156. rule minDelayOnlyChange(method f, env e){
    157. 

  157.     uint256 delayBefore = _minDelay();    
    158. 

  158. 

  159.     calldataarg args;
    160. 

  160.     f(e, args);
    161. 

  161. 

  162.     uint256 delayAfter = _minDelay();
    163. 

  163. 

  164.     assert delayBefore != delayAfter => e.msg.sender == currentContract, "You cannot change your destiny! Only I can!";
    165. 

  165. }
    166. 

  166. 

  167. 

  168. // STATUS - verified
    169. 

  169. // scheduled operation timestamp == block.timestamp + delay (kind of unit test)
    170. 

  170. rule scheduleCheck(method f, env e){
    171. 

  171.     bytes32 id;
    172. 

  172. 

  173.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    174. 

  174. 

  175.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    176. 

  176. 

  177.     schedule(e, target, value, data, predecessor, salt, delay);
    178. 

  178. 

  179.     assert getTimestamp(id) == to_uint256(e.block.timestamp + delay), "Time doesn't obey to mortal souls";
    180. 

  180. }
    181. 

  181. 

  182. 

  183. // STATUS - verified
    184. 

  184. // Cannot call `execute()` on a isOperationPending (not ready) operation
    185. 

  185. rule cannotCallExecute(method f, env e){
    186. 

  186.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    187. 

  187.     bytes32 id;
    188. 

  188. 

  189.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    190. 

  190.     require isOperationPending(id) && !isOperationReady(e, id);
    191. 

  191. 

  192.     execute@withrevert(e, target, value, data, predecessor, salt);
    193. 

  193. 

  194.     assert lastReverted, "you go against execution nature";
    195. 

  195. }
    196. 

  196. 

  197. 

  198. // STATUS - verified
    199. 

  199. // Cannot call `execute()` on a !isOperation operation
    200. 

  200. rule executeRevertsFromUnset(method f, env e, env e2){
    201. 

  201.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    202. 

  202.     bytes32 id;
    203. 

  203. 

  204.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    205. 

  205.     require !isOperation(id);
    206. 

  206. 

  207.     execute@withrevert(e, target, value, data, predecessor, salt);
    208. 

  208. 

  209.     assert lastReverted, "you go against execution nature";
    210. 

  210. }
    211. 

  211. 

  212. 

  213. // STATUS - verified
    214. 

  214. // Execute reverts => state returns to isOperationPending
    215. 

  215. rule executeRevertsEffectCheck(method f, env e){
    216. 

  216.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    217. 

  217.     bytes32 id;
    218. 

  218. 

  219.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    220. 

  220.     require isOperationPending(id) && !isOperationReady(e, id);
    221. 

  221. 

  222.     execute@withrevert(e, target, value, data, predecessor, salt);
    223. 

  223.     bool reverted = lastReverted;
    224. 

  224. 

  225.     assert lastReverted => isOperationPending(id) && !isOperationReady(e, id), "you go against execution nature";
    226. 

  226. }
    227. 

  227. 

  228. 

  229. // STATUS - verified
    230. 

  230. // Canceled operations cannot be executed → can’t move from canceled to isOperationDone
    231. 

  231. rule cancelledNotExecuted(method f, env e){
    232. 

  232.     bytes32 id;
    233. 

  233. 

  234.     require !isOperation(id);
    235. 

  235.     require e.block.timestamp > 1;
    236. 

  236. 

  237.     calldataarg args;
    238. 

  238.     f(e, args);
    239. 

  239. 

  240.     assert !isOperationDone(id), "The ship is not a creature of the air";
    241. 

  241. }
    242. 

  242. 

  243. 

  244. // STATUS - verified
    245. 

  245. // Only proposers can schedule
    246. 

  246. rule onlyProposer(method f, env e) filtered { f -> f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector
    247. 

  247.                                                     || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector } {
    248. 

  248.     bytes32 id;
    249. 

  249.     bytes32 role;
    250. 

  250.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    251. 

  251. 

  252.     _checkRole@withrevert(e, PROPOSER_ROLE());
    253. 

  253. 

  254.     bool isCheckRoleReverted = lastReverted;
    255. 

  255. 

  256.     calldataarg args;
    257. 

  257.     f@withrevert(e, args);
    258. 

  258. 

  259.     bool isScheduleReverted = lastReverted;
    260. 

  260. 

  261.     assert isCheckRoleReverted => isScheduleReverted, "Enemy was detected";
    262. 

  262. }
    263. 

  263. 

  264. 

  265. // STATUS - verified
    266. 

  266. // if `ready` then has waited minimum period after isOperationPending() 
    267. 

  267. rule cooldown(method f, env e, env e2){
    268. 

  268.     bytes32 id;
    269. 

  269.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    270. 

  270.     uint256 minDelay = getMinDelay();
    271. 

  271. 

  272.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    273. 

  273. 

  274.     schedule(e, target, value, data, predecessor, salt, delay);
    275. 

  275. 

  276.     calldataarg args;
    277. 

  277.     f(e, args);
    278. 

  278. 

  279.     assert isOperationReady(e2, id) => (e2.block.timestamp - e.block.timestamp >= minDelay), "No rush! When I'm ready, I'm ready";
    280. 

  280. }
    281. 

  281. 

  282. 

  283. // STATUS - verified
    284. 

  284. // `schedule()` should change only one id's timestamp
    285. 

  285. rule scheduleChange(env e){
    286. 

  286.     bytes32 id;  bytes32 otherId; 
    287. 

  287.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    288. 

  288. 

  289.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    290. 

  290. 

  291.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    292. 

  292. 

  293.     schedule(e, target, value, data, predecessor, salt, delay);
    294. 

  294. 

  295.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    296. 

  296. }
    297. 

  297. 

  298. 

  299. // STATUS - verified
    300. 

  300. // `execute()` should change only one id's timestamp
    301. 

  301. rule executeChange(env e){
    302. 

  302.     bytes32 id;  bytes32 otherId; 
    303. 

  303.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt;
    304. 

  304.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    305. 

  305. 

  306.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    307. 

  307. 

  308.     execute(e, target, value, data, predecessor, salt);
    309. 

  309. 

  310.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    311. 

  311. }
    312. 

  312. 

  313. 

  314. // STATUS - verified
    315. 

  315. // `cancel()` should change only one id's timestamp
    316. 

  316. rule cancelChange(env e){
    317. 

  317.     bytes32 id;  bytes32 otherId; 
    318. 

  318. 

  319.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    320. 

  320. 

  321.     cancel(e, id);
    322. 

  322. 

  323.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    324. 

  324. }
    325.