GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 3c58e4e3d3
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
TimelockController.spec

TimelockController.spec 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326 
  1. methods {
    2. 

  2.     PROPOSER_ROLE() returns(bytes32) envfree
    3. 

  3. 

  4.     _DONE_TIMESTAMP() returns(uint256) envfree
    5. 

  5.     _minDelay() returns(uint256) envfree
    6. 

  6.     _checkRole(bytes32) => DISPATCHER(true)
    7. 

  7. 

  8.     isOperation(bytes32) returns(bool) envfree
    9. 

  9.     isOperationPending(bytes32) returns(bool) envfree
    10. 

  10.     isOperationReady(bytes32) returns(bool)
    11. 

  11.     isOperationDone(bytes32) returns(bool) envfree
    12. 

  12.     getTimestamp(bytes32) returns(uint256) envfree
    13. 

  13.     getMinDelay() returns(uint256) envfree
    14. 

  14. 

  15.     hashOperation(address, uint256, bytes, bytes32, bytes32) returns(bytes32) envfree
    16. 

  16.     hashOperationBatch(address[], uint256[], bytes[], bytes32, bytes32) returns(bytes32) envfree
    17. 

  17. 

  18.     schedule(address, uint256, bytes, bytes32, bytes32, uint256)
    19. 

  19.     scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256)
    20. 

  20.     execute(address, uint256, bytes, bytes32, bytes32)
    21. 

  21.     executeBatch(address[], uint256[], bytes[], bytes32, bytes32)
    22. 

  22.     cancel(bytes32)
    23. 

  23. }
    24. 

  24. 

  25. 

  26. ////////////////////////////////////////////////////////////////////////////
    27. 

  27. //                         Functions                                      //
    28. 

  28. ////////////////////////////////////////////////////////////////////////////
    29. 

  29. 

  30. 

  31. function hashIdCorrelation(bytes32 id, address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt){
    32. 

  32.     require data.length < 32;
    33. 

  33.     require hashOperation(target, value, data, predecessor, salt) == id;
    34. 

  34. }
    35. 

  35. 

  36. 

  37. ////////////////////////////////////////////////////////////////////////////
    38. 

  38. //                         Invariants                                     //
    39. 

  39. ////////////////////////////////////////////////////////////////////////////
    40. 

  40. 

  41. 

  42. // STATUS - verified
    43. 

  43. // `isOperation()` correctness check
    44. 

  44. invariant operationCheck(bytes32 id)
    45. 

  45.     getTimestamp(id) > 0 <=> isOperation(id)
    46. 

  46. filtered { f -> !f.isView }
    47. 

  47. 

  48. // STATUS - verified
    49. 

  49. // `isOperationPending()` correctness check
    50. 

  50. invariant pendingCheck(bytes32 id)
    51. 

  51.     getTimestamp(id) > _DONE_TIMESTAMP() <=> isOperationPending(id)
    52. 

  52. filtered { f -> !f.isView }
    53. 

  53. 

  54. // STATUS - verified
    55. 

  55. // `isOperationReady()` correctness check
    56. 

  56. invariant readyCheck(env e, bytes32 id)
    57. 

  57.     (e.block.timestamp >= getTimestamp(id) && getTimestamp(id) > 1) <=> isOperationReady(e, id)
    58. 

  58. filtered { f -> !f.isView }
    59. 

  59. 

  60. // STATUS - verified
    61. 

  61. // `isOperationDone()` correctness check
    62. 

  62. invariant doneCheck(bytes32 id)
    63. 

  63.     getTimestamp(id) == _DONE_TIMESTAMP() <=> isOperationDone(id)
    64. 

  64. filtered { f -> !f.isView }
    65. 

  65. 

  66. 

  67. ////////////////////////////////////////////////////////////////////////////
    68. 

  68. //                            Rules                                       //
    69. 

  69. ////////////////////////////////////////////////////////////////////////////
    70. 

  70. 

  71. 

  72. /////////////////////////////////////////////////////////////
    73. 

  73. // STATE TRANSITIONS
    74. 

  74. /////////////////////////////////////////////////////////////
    75. 

  75. 

  76. 

  77. // STATUS - verified
    78. 

  78. // Possible transitions: form `!isOperation()` to `!isOperation()` or `isOperationPending()` only
    79. 

  79. rule unsetPendingTransitionGeneral(method f, env e){
    80. 

  80.     bytes32 id;
    81. 

  81. 

  82.     require !isOperation(id);
    83. 

  83.     require e.block.timestamp > 1;
    84. 

  84. 

  85.     calldataarg args;
    86. 

  86.     f(e, args);
    87. 

  87. 

  88.     assert isOperationPending(id) || !isOperation(id);
    89. 

  89. }
    90. 

  90. 

  91. 

  92. // STATUS - verified
    93. 

  93. // Possible transitions: form `!isOperation()` to `isOperationPending()` via `schedule()` and `scheduleBatch()` only
    94. 

  94. rule unsetPendingTransitionMethods(method f, env e){
    95. 

  95.     bytes32 id;
    96. 

  96. 

  97.     require !isOperation(id);
    98. 

  98. 

  99.     calldataarg args;
    100. 

  100.     f(e, args);
    101. 

  101. 

  102.     assert isOperationPending(id) => (f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector
    103. 

  103.                                 || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector), "Why do we need to follow the schedule?";
    104. 

  104. }
    105. 

  105. 

  106. 

  107. // STATUS - verified
    108. 

  108. // Possible transitions: form `ready()` to `isOperationDone()` via `execute()` and `executeBatch()` only
    109. 

  109. rule readyDoneTransition(method f, env e){
    110. 

  110.     bytes32 id;
    111. 

  111. 

  112.     require isOperationReady(e, id);
    113. 

  113. 

  114.     calldataarg args;
    115. 

  115.     f(e, args);
    116. 

  116. 

  117.     assert isOperationDone(id) => f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector
    118. 

  118.                                 || f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector , "It's not isOperationDone yet!";
    119. 

  119. }
    120. 

  120. 

  121. 

  122. // STATUS - verified
    123. 

  123. // isOperationPending() -> cancelled() via cancel() only
    124. 

  124. rule pendingCancelledTransition(method f, env e){
    125. 

  125.     bytes32 id;
    126. 

  126. 

  127.     require isOperationPending(id);
    128. 

  128. 

  129.     calldataarg args;
    130. 

  130.     f(e, args);
    131. 

  131. 

  132.     assert !isOperation(id) => f.selector == cancel(bytes32).selector, "How you dare to cancel me?";
    133. 

  133. }
    134. 

  134. 

  135. 

  136. // STATUS - verified
    137. 

  137. // isOperationDone() -> nowhere
    138. 

  138. rule doneToNothingTransition(method f, env e){
    139. 

  139.     bytes32 id;
    140. 

  140. 

  141.     require isOperationDone(id);
    142. 

  142. 

  143.     calldataarg args;
    144. 

  144.     f(e, args);
    145. 

  145. 

  146.     assert isOperationDone(id), "Did you find a way to escape? There is no way! HA-HA-HA";
    147. 

  147. }
    148. 

  148. 

  149. 

  150. 

  151. /////////////////////////////////////////////////////////////
    152. 

  152. // THE REST
    153. 

  153. /////////////////////////////////////////////////////////////
    154. 

  154. 

  155. 

  156. // STATUS - verified
    157. 

  157. // only TimelockController contract can change minDelay
    158. 

  158. rule minDelayOnlyChange(method f, env e){
    159. 

  159.     uint256 delayBefore = _minDelay();
    160. 

  160. 

  161.     calldataarg args;
    162. 

  162.     f(e, args);
    163. 

  163. 

  164.     uint256 delayAfter = _minDelay();
    165. 

  165. 

  166.     assert delayBefore != delayAfter => e.msg.sender == currentContract, "You cannot change your destiny! Only I can!";
    167. 

  167. }
    168. 

  168. 

  169. 

  170. // STATUS - verified
    171. 

  171. // scheduled operation timestamp == block.timestamp + delay (kind of unit test)
    172. 

  172. rule scheduleCheck(method f, env e){
    173. 

  173.     bytes32 id;
    174. 

  174. 

  175.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    176. 

  176. 

  177.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    178. 

  178. 

  179.     schedule(e, target, value, data, predecessor, salt, delay);
    180. 

  180. 

  181.     assert getTimestamp(id) == to_uint256(e.block.timestamp + delay), "Time doesn't obey to mortal souls";
    182. 

  182. }
    183. 

  183. 

  184. 

  185. // STATUS - verified
    186. 

  186. // Cannot call `execute()` on a isOperationPending (not ready) operation
    187. 

  187. rule cannotCallExecute(method f, env e){
    188. 

  188.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    189. 

  189.     bytes32 id;
    190. 

  190. 

  191.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    192. 

  192.     require isOperationPending(id) && !isOperationReady(e, id);
    193. 

  193. 

  194.     execute@withrevert(e, target, value, data, predecessor, salt);
    195. 

  195. 

  196.     assert lastReverted, "you go against execution nature";
    197. 

  197. }
    198. 

  198. 

  199. 

  200. // STATUS - verified
    201. 

  201. // Cannot call `execute()` on a !isOperation operation
    202. 

  202. rule executeRevertsFromUnset(method f, env e, env e2){
    203. 

  203.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    204. 

  204.     bytes32 id;
    205. 

  205. 

  206.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    207. 

  207.     require !isOperation(id);
    208. 

  208. 

  209.     execute@withrevert(e, target, value, data, predecessor, salt);
    210. 

  210. 

  211.     assert lastReverted, "you go against execution nature";
    212. 

  212. }
    213. 

  213. 

  214. 

  215. // STATUS - verified
    216. 

  216. // Execute reverts => state returns to isOperationPending
    217. 

  217. rule executeRevertsEffectCheck(method f, env e){
    218. 

  218.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    219. 

  219.     bytes32 id;
    220. 

  220. 

  221.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    222. 

  222.     require isOperationPending(id) && !isOperationReady(e, id);
    223. 

  223. 

  224.     execute@withrevert(e, target, value, data, predecessor, salt);
    225. 

  225.     bool reverted = lastReverted;
    226. 

  226. 

  227.     assert lastReverted => isOperationPending(id) && !isOperationReady(e, id), "you go against execution nature";
    228. 

  228. }
    229. 

  229. 

  230. 

  231. // STATUS - verified
    232. 

  232. // Canceled operations cannot be executed → can’t move from canceled to isOperationDone
    233. 

  233. rule cancelledNotExecuted(method f, env e){
    234. 

  234.     bytes32 id;
    235. 

  235. 

  236.     require !isOperation(id);
    237. 

  237.     require e.block.timestamp > 1;
    238. 

  238. 

  239.     calldataarg args;
    240. 

  240.     f(e, args);
    241. 

  241. 

  242.     assert !isOperationDone(id), "The ship is not a creature of the air";
    243. 

  243. }
    244. 

  244. 

  245. 

  246. // STATUS - verified
    247. 

  247. // Only proposers can schedule
    248. 

  248. rule onlyProposer(method f, env e) filtered { f -> f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector
    249. 

  249.                                                     || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector } {
    250. 

  250.     bytes32 id;
    251. 

  251.     bytes32 role;
    252. 

  252.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    253. 

  253. 

  254.     _checkRole@withrevert(e, PROPOSER_ROLE());
    255. 

  255. 

  256.     bool isCheckRoleReverted = lastReverted;
    257. 

  257. 

  258.     calldataarg args;
    259. 

  259.     f@withrevert(e, args);
    260. 

  260. 

  261.     bool isScheduleReverted = lastReverted;
    262. 

  262. 

  263.     assert isCheckRoleReverted => isScheduleReverted, "Enemy was detected";
    264. 

  264. }
    265. 

  265. 

  266. 

  267. // STATUS - verified
    268. 

  268. // if `ready` then has waited minimum period after isOperationPending()
    269. 

  269. rule cooldown(method f, env e, env e2){
    270. 

  270.     bytes32 id;
    271. 

  271.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    272. 

  272.     uint256 minDelay = getMinDelay();
    273. 

  273. 

  274.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    275. 

  275. 

  276.     schedule(e, target, value, data, predecessor, salt, delay);
    277. 

  277. 

  278.     calldataarg args;
    279. 

  279.     f(e, args);
    280. 

  280. 

  281.     assert isOperationReady(e2, id) => (e2.block.timestamp - e.block.timestamp >= minDelay), "No rush! When I'm ready, I'm ready";
    282. 

  282. }
    283. 

  283. 

  284. 

  285. // STATUS - verified
    286. 

  286. // `schedule()` should change only one id's timestamp
    287. 

  287. rule scheduleChange(env e){
    288. 

  288.     bytes32 id;  bytes32 otherId;
    289. 

  289.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    290. 

  290. 

  291.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    292. 

  292. 

  293.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    294. 

  294. 

  295.     schedule(e, target, value, data, predecessor, salt, delay);
    296. 

  296. 

  297.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    298. 

  298. }
    299. 

  299. 

  300. 

  301. // STATUS - verified
    302. 

  302. // `execute()` should change only one id's timestamp
    303. 

  303. rule executeChange(env e){
    304. 

  304.     bytes32 id;  bytes32 otherId;
    305. 

  305.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt;
    306. 

  306.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    307. 

  307. 

  308.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    309. 

  309. 

  310.     execute(e, target, value, data, predecessor, salt);
    311. 

  311. 

  312.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    313. 

  313. }
    314. 

  314. 

  315. 

  316. // STATUS - verified
    317. 

  317. // `cancel()` should change only one id's timestamp
    318. 

  318. rule cancelChange(env e){
    319. 

  319.     bytes32 id;  bytes32 otherId;
    320. 

  320. 

  321.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    322. 

  322. 

  323.     cancel(e, id);
    324. 

  324. 

  325.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    326. 

  326. }
    327.