sol_Bo8des9o
/
openzeppelin-contracts


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276
							import "helpers.spec"
import "Governor.helpers.spec"
import "GovernorInvariants.spec"

use invariant proposalStateConsistency
use invariant queuedImplyDeadlineOver

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rule: propose effect and liveness. Includes "no double proposition"                                                 │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule propose_liveness(uint256 pId, env e) {
    require nonpayable(e);
    require clockSanity(e);

    uint8 stateBefore = state(e, pId);

    address[] targets; uint256[] values; bytes[] calldatas; string descr;
    require pId == hashProposal(targets, values, calldatas, descr);

    propose@withrevert(e, targets, values, calldatas, descr);

    // liveness & double proposal
    assert !lastReverted <=> (
        stateBefore == UNSET() &&
        validProposal(targets, values, calldatas)
    );
}

rule propose_effect(uint256 pId, env e) {
    address[] targets; uint256[] values; bytes[] calldatas; string descr;
    require pId == hashProposal(targets, values, calldatas, descr);

    propose(e, targets, values, calldatas, descr);

    // effect
    assert state(e, pId)         == PENDING();
    assert proposalProposer(pId) == e.msg.sender;
    assert proposalSnapshot(pId) == clock(e) + votingDelay();
    assert proposalDeadline(pId) == clock(e) + votingDelay() + votingPeriod();
}

rule propose_sideeffect(uint256 pId, env e, uint256 otherId) {
    uint8   otherStateBefore = state(e, otherId);
    uint256 otherVoteStart   = proposalSnapshot(otherId);
    uint256 otherVoteEnd     = proposalDeadline(otherId);
    address otherProposer    = proposalProposer(otherId);

    address[] targets; uint256[] values; bytes[] calldatas; string descr;
    require pId == hashProposal(targets, values, calldatas, descr);

    propose(e, targets, values, calldatas, descr);

    // no side-effect
    assert state(e, otherId)         != otherStateBefore => otherId == pId;
    assert proposalSnapshot(otherId) == otherVoteStart;
    assert proposalDeadline(otherId) == otherVoteEnd;
    assert proposalProposer(otherId) == otherProposer;
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rule: votes effect and liveness. Includes "A user cannot vote twice"                                                │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule castVote_liveness(uint256 pId, env e, method f)
    filtered { f -> voting(f) }
{
    require nonpayable(e);
    require clockSanity(e);

    uint8   support;
    address voter;

    uint8   stateBefore    = state(e, pId);
    bool    hasVotedBefore = hasVoted(pId, voter);
    uint256 voterWeight    = token_getPastVotes(voter, proposalSnapshot(pId));

    // voting weight overflow check
    require getAgainstVotes(pId) + voterWeight <= max_uint256;
    require getForVotes(pId)     + voterWeight <= max_uint256;
    require getAbstainVotes(pId) + voterWeight <= max_uint256;

    helperVoteWithRevert(e, f, pId, voter, support);

    assert !lastReverted <=> (
        stateBefore == ACTIVE() &&
        !hasVotedBefore &&
        (support == 0 || support == 1 || support == 2)
    );
}

rule castVote_effect(uint256 pId, env e, method f)
    filtered { f -> voting(f) }
{
    uint8   support;
    address voter;

    uint256 againstVotesBefore = getAgainstVotes(pId);
    uint256 forVotesBefore     = getForVotes(pId);
    uint256 abstainVotesBefore = getAbstainVotes(pId);
    uint256 voterWeight        = token_getPastVotes(voter, proposalSnapshot(pId));

    uint256 weight = helperVoteWithRevert(e, f, pId, voter, support);
    require !lastReverted;

    assert state(e, pId)        == ACTIVE();
    assert voterWeight          == weight;
    assert getAgainstVotes(pId) == againstVotesBefore + (support == 0 ? weight : 0);
    assert getForVotes(pId)     == forVotesBefore     + (support == 1 ? weight : 0);
    assert getAbstainVotes(pId) == abstainVotesBefore + (support == 2 ? weight : 0);
    assert hasVoted(pId, voter);
}

rule castVote_sideeffect(uint256 pId, env e, method f)
    filtered { f -> voting(f) }
{
    uint8   support;
    address voter;
    address otherVoter;
    uint256 otherId;

    bool    otherVotedBefore        = hasVoted(otherId, otherVoter);
    uint256 otherAgainstVotesBefore = getAgainstVotes(otherId);
    uint256 otherForVotesBefore     = getForVotes(otherId);
    uint256 otherAbstainVotesBefore = getAbstainVotes(otherId);

    helperVoteWithRevert(e, f, pId, voter, support);
    require !lastReverted;

    // no side-effect
    assert hasVoted(otherId, otherVoter) != otherVotedBefore        => (otherId == pId && otherVoter == voter);
    assert getAgainstVotes(otherId)      != otherAgainstVotesBefore => (otherId == pId);
    assert getForVotes(otherId)          != otherForVotesBefore     => (otherId == pId);
    assert getAbstainVotes(otherId)      != otherAbstainVotesBefore => (otherId == pId);
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rule: queue effect and liveness.                                                                                    │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule queue_liveness(uint256 pId, env e) {
    require nonpayable(e);
    require clockSanity(e);

    uint8 stateBefore = state(e, pId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    queue@withrevert(e, targets, values, calldatas, descrHash);

    // liveness
    assert !lastReverted <=> stateBefore == SUCCEEDED();
}

rule queue_effect(uint256 pId, env e) {
    uint8 stateBefore  = state(e, pId);
    bool  queuedBefore = isQueued(pId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    queue(e, targets, values, calldatas, descrHash);

    assert state(e, pId) == QUEUED();
    assert isQueued(pId);
    assert !queuedBefore;
}

rule queue_sideeffect(uint256 pId, env e, uint256 otherId) {
    uint8 otherStateBefore  = state(e, otherId);
    bool  otherQueuedBefore = isQueued(otherId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    queue(e, targets, values, calldatas, descrHash);

    // no side-effect
    assert state(e, otherId) != otherStateBefore  => otherId == pId;
    assert isQueued(otherId) != otherQueuedBefore => otherId == pId;
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rule: execute effect and liveness.                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule execute_liveness(uint256 pId, env e) {
    require nonpayable(e);
    require clockSanity(e);

    uint8 stateBefore = state(e, pId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    execute@withrevert(e, targets, values, calldatas, descrHash);

    // liveness: can't check full equivalence because of execution call reverts
    assert !lastReverted => (stateBefore == SUCCEEDED() || stateBefore == QUEUED());
}

rule execute_effect(uint256 pId, env e) {
    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    execute(e, targets, values, calldatas, descrHash);

    // effect
    assert state(e, pId) == EXECUTED();
}

rule execute_sideeffect(uint256 pId, env e, uint256 otherId) {
    uint8 otherStateBefore = state(e, otherId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    execute(e, targets, values, calldatas, descrHash);

    // no side-effect
    assert state(e, otherId) != otherStateBefore => otherId == pId;
}

/*
┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Rule: cancel (public) effect and liveness.                                                                          │
└─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
*/
rule cancel_liveness(uint256 pId, env e) {
    require nonpayable(e);
    require clockSanity(e);
    requireInvariant queuedImplyDeadlineOver(e, pId);

    uint8 stateBefore = state(e, pId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    cancel@withrevert(e, targets, values, calldatas, descrHash);

    // liveness
    assert !lastReverted <=> (
        stateBefore == PENDING() &&
        e.msg.sender == proposalProposer(pId)
    );
}

rule cancel_effect(uint256 pId, env e) {
    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    cancel(e, targets, values, calldatas, descrHash);

    // effect
    assert state(e, pId) == CANCELED();
    assert !isQueued(pId); // cancel resets timelockId
}

rule cancel_sideeffect(uint256 pId, env e, uint256 otherId) {
    uint8 otherStateBefore  = state(e, otherId);
    bool  otherQueuedBefore = isQueued(otherId);

    address[] targets; uint256[] values; bytes[] calldatas; bytes32 descrHash;
    require pId == hashProposal(targets, values, calldatas, descrHash);

    cancel(e, targets, values, calldatas, descrHash);

    // no side-effect
    assert state(e, otherId) != otherStateBefore  => otherId == pId;
    assert isQueued(otherId) != otherQueuedBefore => otherId == pId;
}