GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 61b011869c
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
GovernorCountingSimple.spec

GovernorCountingSimple.spec 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284 
  1. import "GovernorBase.spec"
    2. 

  2. 

  3. using ERC20VotesHarness as erc20votes
    4. 

  4. 

  5. methods {
    6. 

  6.     ghost_sum_vote_power_by_id(uint256) returns uint256 envfree
    7. 

  7.     // castVote(uint256, uint8) returns uint256
    8. 

  8.     // castVoteBySig(uint256,uint8,uint8,bytes32,bytes32) returns uint256
    9. 

  9. 	
    10. 

  10. 	snapshot(uint256) returns uint64 envfree
    11. 

  11.     quorum(uint256) returns uint256 envfree
    12. 

  12.     proposalVotes(uint256) returns (uint256, uint256, uint256) envfree
    13. 

  13. 

  14.     quorumNumerator() returns uint256
    15. 

  15.     updateQuorumNumerator(uint256)
    16. 

  16.     _executor() returns address
    17. 

  17. }
    18. 

  18. 

  19. //////////////////////////////////////////////////////////////////////////////
    20. 

  20. ///////////////////////////////// GHOSTS /////////////////////////////////////
    21. 

  21. //////////////////////////////////////////////////////////////////////////////
    22. 

  22. 

  23. ghost hasVoteGhost(uint256) returns uint256 {
    24. 

  24.     init_state axiom forall uint256 pId. hasVoteGhost(pId) == 0;
    25. 

  25. }
    26. 

  26. 

  27. //hook Sstore _proposalVotes[KEY uint256 pId].hasVoted[KEY address user] bool current_voting_State (bool old_voting_state) STORAGE{
    28. 

  28. //    havoc hasVoteGhost assuming forall uint256 p. ((p == pId && current_voting_State && !old_voting_state) ? (hasVoteGhost@new(p) == hasVoteGhost@old(p) + 1)  :
    29. 

  29. //                                                  (hasVoteGhost@new(p) == hasVoteGhost@old(p)));
    30. 

  30. //}
    31. 

  31. 

  32. ghost sum_all_votes_power() returns uint256 {
    33. 

  33. 	init_state axiom sum_all_votes_power() == 0;
    34. 

  34. }
    35. 

  35. 

  36. hook Sstore ghost_sum_vote_power_by_id [KEY uint256 pId] uint256 current_power(uint256 old_power) STORAGE {
    37. 

  37. 	havoc sum_all_votes_power assuming sum_all_votes_power@new() == sum_all_votes_power@old() - old_power + current_power;
    38. 

  38. }
    39. 

  39. 

  40. ghost tracked_weight(uint256) returns uint256 {
    41. 

  41. 	init_state axiom forall uint256 p. tracked_weight(p) == 0;
    42. 

  42. }
    43. 

  43. ghost sum_tracked_weight() returns uint256 {
    44. 

  44. 	init_state axiom sum_tracked_weight() == 0;
    45. 

  45. }
    46. 

  46. 

  47. ghost votesAgainst() returns uint256 {
    48. 

  48.     init_state axiom votesAgainst() == 0;
    49. 

  49. }
    50. 

  50. 

  51. ghost votesFor() returns uint256 {
    52. 

  52.     init_state axiom votesFor() == 0;
    53. 

  53. }
    54. 

  54. 

  55. ghost votesAbstain() returns uint256 {
    56. 

  56.     init_state axiom votesAbstain() == 0;
    57. 

  57. }
    58. 

  58. 

  59. hook Sstore _proposalVotes [KEY uint256 pId].againstVotes uint256 votes(uint256 old_votes) STORAGE {
    60. 

  60. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    61. 

  61. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    62. 

  62. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    63. 

  63.     havoc votesAgainst assuming votesAgainst@new() == votesAgainst@old() - old_votes + votes;
    64. 

  64. }
    65. 

  65. 

  66. hook Sstore _proposalVotes [KEY uint256 pId].forVotes uint256 votes(uint256 old_votes) STORAGE {
    67. 

  67. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    68. 

  68. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    69. 

  69. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    70. 

  70.     havoc votesFor assuming votesFor@new() == votesFor@old() - old_votes + votes;
    71. 

  71. }
    72. 

  72. 

  73. hook Sstore _proposalVotes [KEY uint256 pId].abstainVotes uint256 votes(uint256 old_votes) STORAGE {
    74. 

  74. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    75. 

  75. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    76. 

  76. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    77. 

  77.     havoc votesAbstain assuming votesAbstain@new() == votesAbstain@old() - old_votes + votes;
    78. 

  78. }
    79. 

  79. 

  80. 

  81. ghost totalVotesPossible(uint256) returns uint256 {
    82. 

  82. 	init_state axiom forall uint256 bn. totalVotesPossible(bn) == 0;
    83. 

  83. }
    84. 

  84. 

  85. // Was done with _getVotes by mistake. Should check GovernorBasicHarness but _getVotes is from GovernorHarness
    86. 

  86. hook Sstore erc20votes._getPastVotes[KEY address uId][KEY uint256 blockNumber] uint256 voteWeight(uint256 old_voteWeight) STORAGE {
    87. 

  87. 	havoc totalVotesPossible assuming forall uint256 bn.
    88. 

  88. 	                                (bn == blockNumber => totalVotesPossible@new(bn) == totalVotesPossible@old(bn) - old_voteWeight + voteWeight)
    89. 

  89. 	                                && (bn != blockNumber => totalVotesPossible@new(bn) == totalVotesPossible@old(bn));
    90. 

  90. }
    91. 

  91. 

  92. 

  93. 

  94. //////////////////////////////////////////////////////////////////////////////
    95. 

  95. ////////////////////////////// INVARIANTS ////////////////////////////////////
    96. 

  96. //////////////////////////////////////////////////////////////////////////////
    97. 

  97. 

  98. 

  99. /*
    100. 

  100.  * sum of all votes casted is equal to the sum of voting power of those who voted, per each proposal
    101. 

  101.  */
    102. 

  102. invariant SumOfVotesCastEqualSumOfPowerOfVotedPerProposal(uint256 pId) 
    103. 

  103. 	tracked_weight(pId) == ghost_sum_vote_power_by_id(pId)
    104. 

  104. 		
    105. 

  105. /*
    106. 

  106.  * sum of all votes casted is equal to the sum of voting power of those who voted
    107. 

  107.  */
    108. 

  108. invariant SumOfVotesCastEqualSumOfPowerOfVoted() 
    109. 

  109. 	sum_tracked_weight() == sum_all_votes_power()
    110. 

  110. 		
    111. 

  111. /*
    112. 

  112. * totalVoted >= vote(id)
    113. 

  113. */
    114. 

  114. invariant OneIsNotMoreThanAll(uint256 pId) 
    115. 

  115. 	sum_all_votes_power() >= tracked_weight(pId)
    116. 

  116. 

  117. 

  118. //NEED GHOST FIX	
    119. 

  119. /*
    120. 

  120. * totalVotesPossible >= votePower(id)
    121. 

  121. */
    122. 

  122. invariant possibleTotalVotes(uint256 pId) 
    123. 

  123. 	tracked_weight(pId) <= totalVotesPossible(snapshot(pId))
    124. 

  124. 

  125. /*
    126. 

  126. * totalVotesPossible >= votePower(id)
    127. 

  127. */
    128. 

  128. // invariant possibleTotalVotes(uint pId)
    129. 

  129. //invariant trackedVsTotal(uint256 pId) 
    130. 

  130. //	tracked_weight(pId) <= possibleMaxOfVoters(pId)
    131. 

  131. 

  132. 

  133. /*
    134. 

  134. rule someOtherRuleToRemoveLater(uint256 num){
    135. 

  135.     env e; calldataarg args; method f;
    136. 

  136.     uint256 x = hasVoteGhost(num);
    137. 

  137.     f(e, args);
    138. 

  138.     assert(false);
    139. 

  139. }
    140. 

  140. */
    141. 

  141. 

  142. /*
    143. 

  143.  * Checks that only one user is updated in the system when calling cast vote functions (assuming hasVoted is changing correctly, false->true, with every vote cast)
    144. 

  144.  */
    145. 

  145. rule oneUserVotesInCast(uint256 pId, method f) filtered { f -> ((f.selector == castVote(uint256, uint8).selector) || 
    146. 

  146.                                                                 f.selector == castVoteBySig(uint256, uint8, uint8, bytes32, bytes32).selector) }{
    147. 

  147.     env e; calldataarg args;
    148. 

  148.     uint256 ghost_Before = hasVoteGhost(pId);
    149. 

  149.     f(e, args);
    150. 

  150.     uint256 ghost_After = hasVoteGhost(pId);
    151. 

  151.     assert(ghost_After == ghost_Before + 1, "Raised by more than 1");
    152. 

  152. }
    153. 

  153. 

  154. /*
    155. 

  155.  * Checks that in any call to cast vote functions only the sender's value is updated
    156. 

  156.  */
    157. 

  157.  /*
    158. 

  158. rule noVoteForSomeoneElse(uint256 pId, uint8 support){
    159. 

  159.     env e;
    160. 

  160.     address voter = e.msg.sender;
    161. 

  161.     bool hasVotedBefore = hasVoted(pId, voter);
    162. 

  162.     require(!hasVotedBefore);
    163. 

  163.     castVote(e, pId, support);
    164. 

  164.     bool hasVotedAfter = hasVoted(pId, voter);
    165. 

  165.     assert(hasVotedBefore != hasVotedAfter => forall address user. user != voter);
    166. 

  166. }
    167. 

  167. */
    168. 

  168. 

  169. // ok
    170. 

  170. rule votingWeightMonotonicity(method f){
    171. 

  171.     uint256 votingWeightBefore = sum_tracked_weight();
    172. 

  172. 

  173.     env e; 
    174. 

  174.     calldataarg args;
    175. 

  175.     f(e, args);
    176. 

  176. 

  177.     uint256 votingWeightAfter = sum_tracked_weight();
    178. 

  178. 

  179.     assert votingWeightBefore <= votingWeightAfter, "Voting weight was decreased somehow";
    180. 

  180. }
    181. 

  181. 

  182. // ok with this branch: thomas/bool-hook-values
    183. 

  183. // can't use link because contracts are abstract, they don't have bytecode/constructor
    184. 

  184. // add implementation harness
    185. 

  185. rule quorumMonotonicity(method f, uint256 blockNumber){
    186. 

  186.     uint256 quorumBefore = quorum(blockNumber);
    187. 

  187. 

  188.     env e; 
    189. 

  189.     calldataarg args;
    190. 

  190.     f(e, args);
    191. 

  191. 

  192.     uint256 quorumAfter = quorum(blockNumber);
    193. 

  193. 

  194.     assert quorumBefore <= quorumAfter, "Quorum was decreased somehow";
    195. 

  195. }
    196. 

  196. 

  197. 

  198. function callFunctionWithParams(method f, uint256 proposalId, env e) {
    199. 

  199.     address[] targets;
    200. 

  200.     uint256[] values;
    201. 

  201.     bytes[] calldatas;
    202. 

  202.     bytes32 descriptionHash;
    203. 

  203.     uint8 support;
    204. 

  204.     uint8 v; bytes32 r; bytes32 s;
    205. 

  205. 	if (f.selector == callPropose(address[], uint256[], bytes[]).selector) {
    206. 

  206. 		uint256 result = callPropose(e, targets, values, calldatas);
    207. 

  207.         require result == proposalId;
    208. 

  208. 	} else if (f.selector == execute(address[], uint256[], bytes[], bytes32).selector) {
    209. 

  209.         uint256 result = execute(e, targets, values, calldatas, descriptionHash);
    210. 

  210.         require result == proposalId;
    211. 

  211. 	} else if (f.selector == castVote(uint256, uint8).selector) {
    212. 

  212. 		castVote(e, proposalId, support);
    213. 

  213. 	//} else if  (f.selector == castVoteWithReason(uint256, uint8, string).selector) {
    214. 

  214. 	//	castVoteWithReason(e, proposalId, support, reason);
    215. 

  215. 	} else if (f.selector == castVoteBySig(uint256, uint8,uint8, bytes32, bytes32).selector) {
    216. 

  216. 		castVoteBySig(e, proposalId, support, v, r, s);
    217. 

  217. 	} else {
    218. 

  218. 		calldataarg args;
    219. 

  219. 		f(e,args);
    220. 

  220. 	}
    221. 

  221. }
    222. 

  222. 

  223. 

  224. // getVotes() returns different results.
    225. 

  225. // how to ensure that the same acc is used in getVotes() in uint256 votesBefore = getVotes(acc, bn);/uint256 votesAfter = getVotes(acc, bn); and in callFunctionWithParams
    226. 

  226. // votesBefore and votesAfter give different results but shoudn't
    227. 

  227. 

  228. // are we assuming that a person with 0 votes can vote? are we assuming that a person may have 0 votes
    229. 

  229. // it seems like a weight can be 0. At least there is no check for it
    230. 

  230. // If it can be 0 then < should be changed to <= but it gives less coverage
    231. 

  231. 

  232. // run on ALex's branch to avoid tiomeouts: --staging alex/external-timeout-for-solvers
    233. 

  233. // --staging shelly/forSasha
    234. 

  234. // implement ERC20Votes as a harness
    235. 

  235. rule hasVotedCorrelation(uint256 pId, method f, env e, uint256 bn) filtered {f -> f.selector != 0x7d5e81e2}{
    236. 

  236.     uint256 againstBefore = votesAgainst();
    237. 

  237.     uint256 forBefore = votesFor();
    238. 

  238.     uint256 abstainBefore = votesAbstain();
    239. 

  239.     //againstBefore, forBefore, abstainBefore = proposalVotes(pId);
    240. 

  240. 

  241.     address acc = e.msg.sender;
    242. 

  242. 

  243.     bool hasVotedBefore = hasVoted(e, pId, acc);
    244. 

  244.     uint256 votesBefore = getVotes(acc, bn);
    245. 

  245.     require votesBefore > 0;
    246. 

  246. 

  247.     //calldataarg args;
    248. 

  248.     //f(e, args);
    249. 

  249.     callFunctionWithParams(f, pId, e);
    250. 

  250. 

  251.     uint256 againstAfter = votesAgainst();
    252. 

  252.     uint256 forAfter = votesFor();
    253. 

  253.     uint256 abstainAfter = votesAbstain();
    254. 

  254.     //againstAfter, forAfter, abstainAfter = proposalVotes(pId);
    255. 

  255. 

  256.     uint256 votesAfter = getVotes(acc, bn);
    257. 

  257.     bool hasVotedAfter = hasVoted(e, pId, acc);
    258. 

  258. 

  259.     assert hasVotedBefore != hasVotedAfter => againstBefore <= againstAfter || forBefore <= forAfter || abstainBefore <= abstainAfter, "no correlation";
    260. 

  260. }
    261. 

  261. 

  262. 

  263. /*
    264. 

  264. * Check privileged operations
    265. 

  265. */
    266. 

  266. // NO NEED FOR SPECIFIC CHANGES
    267. 

  267. // how to check executor()?
    268. 

  268. // to make it public instead of internal is not best idea, I think.
    269. 

  269. // currentContract gives a violation in 
    270. 

  270. // maybe need harness implementation for one of the contracts
    271. 

  271. rule privilegedOnly(method f){
    272. 

  272.     env e;
    273. 

  273.     calldataarg arg;
    274. 

  274.     uint256 quorumNumBefore = quorumNumerator(e);
    275. 

  275. 

  276.     f(e, arg);
    277. 

  277. 

  278.     uint256 quorumNumAfter = quorumNumerator(e);
    279. 

  279. 

  280.     address executorCheck = currentContract;
    281. 

  281.     // address executorCheck = _executor(e);
    282. 

  282. 

  283.     assert quorumNumBefore != quorumNumAfter => e.msg.sender == executorCheck, "non priveleged user changed quorum numerator";
    284. 

  284. }
    285.