sol_Bo8des9o
/
openzeppelin-contracts


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326
							using AccessControlHarness as AC

methods {
    getTimestamp(bytes32) returns(uint256) envfree
    _DONE_TIMESTAMP() returns(uint256) envfree
    _minDelay() returns(uint256) envfree
    getMinDelay() returns(uint256) envfree
    hashOperation(address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt) returns(bytes32) envfree
    
    cancel(bytes32)
    schedule(address, uint256, bytes32, bytes32, bytes32, uint256)
    execute(address, uint256, bytes, bytes32, bytes32)
}

////////////////////////////////////////////////////////////////////////////
//                       Definitions                                      //
////////////////////////////////////////////////////////////////////////////


definition unset(bytes32 id) returns bool =
    getTimestamp(id) == 0;

definition pending(bytes32 id) returns bool =
    getTimestamp(id) > _DONE_TIMESTAMP();

definition ready(bytes32 id, env e) returns bool =
    getTimestamp(id) > _DONE_TIMESTAMP() && getTimestamp(id) <= e.block.timestamp;

definition done(bytes32 id) returns bool =
    getTimestamp(id) == _DONE_TIMESTAMP();


////////////////////////////////////////////////////////////////////////////
//                         Functions                                      //
////////////////////////////////////////////////////////////////////////////


function hashIdCorrelation(bytes32 id, address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt){
    require data.length < 7;
    require hashOperation(target, value, data, predecessor, salt) == id;
}


function executionsCall(method f, env e, address target, uint256 value, bytes data, 
                                    bytes32 predecessor, bytes32 salt, uint256 delay, 
                                    address[] targets, uint256[] values, bytes[] datas) {
    if  (f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector) {
        execute(e, target, value, data, predecessor, salt);
	} else if (f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector) {
        executeBatch(e, targets, values, datas, predecessor, salt);
	} else {
        calldataarg args;
        f(e, args);
    }
}

////////////////////////////////////////////////////////////////////////////
//                           Ghosts                                       //
////////////////////////////////////////////////////////////////////////////


////////////////////////////////////////////////////////////////////////////
//                            Invariants                                  //
////////////////////////////////////////////////////////////////////////////


////////////////////////////////////////////////////////////////////////////
//                            Rules                                       //
////////////////////////////////////////////////////////////////////////////


rule keccakCheck(method f, env e){
    address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    address targetRand; uint256 valueRand; bytes dataRand; bytes32 predecessorRand; bytes32 saltRand;

    require data.length < 4;
    // uint256 freshIndex;
    // require freshIndex <= data.length

    // require target != targetRand || value != valueRand || data[freshIndex] != dataRand[freshIndex] || predecessor != predecessorRand || salt != saltRand;

    bytes32 a = hashOperation(target, value, data, predecessor, salt);
    bytes32 b = hashOperation(target, value, data, predecessor, salt);
    // bytes32 c = hashOperation(targetRand, valueRand, dataRand, predecessorRand, saltRand);

    assert a == b, "hashes are different";
    // assert a != c, "hashes are the same";
}


/////////////////////////////////////////////////////////////
// STATE TRANSITIONS
/////////////////////////////////////////////////////////////


// STATUS - verified
// unset() -> unset() || pending() only
rule unsetPendingTransitionGeneral(method f, env e){
    bytes32 id;

    require unset(id);
    require e.block.timestamp > 1;

    calldataarg args;
    f(e, args);

    assert pending(id) || unset(id);
}


// STATUS - 
// unset() -> pending() via schedule() and scheduleBatch() only
rule unsetPendingTransitionMethods(method f, env e){
    bytes32 id;

    require unset(id);

    calldataarg args;
    f(e, args);

    bool tmp = pending(id);

    assert pending(id) => (f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector 
                                || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector), "Why do we need to follow the schedule?";
}


// STATUS - verified
// ready() -> done() via execute() and executeBatch() only
rule readyDoneTransition(method f, env e){
    bytes32 id;

    require ready(id, e);

    calldataarg args;
    f(e, args);

    assert done(id) => f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector  
                                || f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector , "It's not done yet!";
}


// STATUS - verified
// pending() -> cancelled() via cancel() only
rule pendingCancelledTransition(method f, env e){
    bytes32 id;

    require pending(id);

    calldataarg args;
    f(e, args);

    assert unset(id) => f.selector == cancel(bytes32).selector, "How you dare to cancel me?";
}


// STATUS - verified
// done() -> nowhere
rule doneToNothingTransition(method f, env e){
    bytes32 id;

    require done(id);

    calldataarg args;
    f(e, args);

    assert done(id), "Did you find a way to escape? There is no way! HA-HA-HA";
}


/////////////////////////////////////////////////////////////
// THE REST
/////////////////////////////////////////////////////////////


// STATUS - verified
// only TimelockController contract can change minDealy
rule minDealyOnlyChange(method f, env e){
    uint256 delayBefore = _minDelay();    

    calldataarg args;
    f(e, args);

    uint256 delayAfter = _minDelay();

    assert delayBefore != delayAfter => e.msg.sender == currentContract, "You cannot change your destiny! Only I can!";
}


// STATUS - in progress (need working hash)
// execute() is the only way to set timestamp to 1
rule getTimestampOnlyChange(method f, env e){
    bytes32 id;
    address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt; uint256 delay;
    address[] targets; uint256[] values; bytes[] datas;

    require (targets[0] == target && values[0] == value && datas[0] == data)
                || (targets[1] == target && values[1] == value && datas[1] == data)
                || (targets[2] == target && values[2] == value && datas[2] == data);

    hashIdCorrelation(id, target, value, data, predecessor, salt);

    executionsCall(f, e, target, value, data, predecessor, salt, delay, targets, values, datas);

    assert getTimestamp(id) == 1 => f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector  
                                        || f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector, "Did you find a way to break the system?";
}


// STATUS - in progress (need working hash)
// scheduled operation timestamp == block.timestamp + delay (kind of unit test)
rule scheduleCheck(method f, env e){
    bytes32 id;

    address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;

    require getTimestamp(id) < e.block.timestamp;
    // require getMinDelay() > 0;  
    hashIdCorrelation(id, target, value, data, predecessor, salt);

    schedule(e, target, value, data, predecessor, salt, delay);

    assert getTimestamp(id) == to_uint256(e.block.timestamp + getMinDelay()), "Time doesn't obey to mortal souls";
}


// STATUS - in progress (need working hash)
// Cannot call execute on a pending (not ready) operation
rule cannotCallExecute(method f, env e){
    address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    bytes32 id;

    hashIdCorrelation(id, target, value, data, predecessor, salt);
    require pending(id) && !ready(id, e);

    execute@withrevert(e, target, value, data, predecessor, salt);

    assert lastReverted, "you go against execution nature";
}


// STATUS - in progress
// in unset() execute() reverts
rule executeRevertFromUnset(method f, env e, env e2){
    address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    bytes32 id;

    hashIdCorrelation(id, target, value, data, predecessor, salt);
    require unset(id);

    execute@withrevert(e, target, value, data, predecessor, salt);

    assert lastReverted, "you go against execution nature";
}


// STATUS - 
// Execute reverts => state returns to pending
rule executeRevertEffectCheck(method f, env e){
    address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    bytes32 id;

    hashIdCorrelation(id, target, value, data, predecessor, salt);
    require pending(id) && !ready(id, e);

    execute@withrevert(e, target, value, data, predecessor, salt);
    bool reverted = lastReverted;

    assert lastReverted => pending(id) && !ready(id, e), "you go against execution nature";
}


// STATUS - verified
// Canceled operations cannot be executed → can’t move from canceled to ready
rule cancelledNotExecuted(method f, env e){
    bytes32 id;

    require unset(id);
    require e.block.timestamp > 1;

    calldataarg args;
    f(e, args);

    assert !done(id), "The ship is not a creature of the air";
}


// STATUS - in progress (add schedule batch)
// Only proposers can schedule an operation
rule onlyProposer(method f, env e){
    bytes32 id;
    bytes32 role;
    address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;

    require unset(id);
    hashIdCorrelation(id, target, value, data, predecessor, salt);

    AC._checkRole@withrevert(e, role);

    bool isCheckRoleReverted = lastReverted;
    
    schedule@withrevert(e, target, value, data, predecessor, salt, delay);

    bool isScheduleReverted = lastReverted;

    assert isCheckRoleReverted => isScheduleReverted, "Enemy was detected";
}


// STATUS - in progress
// Ready = has waited minimum period after pending 
rule cooldown(method f, env e, env e2){
    bytes32 id;

    require unset(id);

    calldataarg args;
    f(e, args);

    // e.block.timestamp - delay > time scheduled => ready()
    assert e.block.timestamp >= getTimestamp(id) => ready(id, e), "No rush! When I'm ready, I'm ready";
}