GitBross Acasă Explorează Ajutor
Înregistrare Autentificare
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Arbore: a16eaebb25
Ramuri Etichete
openzeppelin-co...
/
certora
/
specs
/
GovernorCountingSimple.spec

GovernorCountingSimple.spec 8.2 KB
Istoric Crud

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224 
  1. import "GovernorBase.spec"
    2. 

  2. 

  3. methods {
    4. 

  4.     ghost_sum_vote_power_by_id(uint256) returns uint256 envfree
    5. 

  5.     // castVote(uint256, uint8) returns uint256
    6. 

  6.     // castVoteBySig(uint256,uint8,uint8,bytes32,bytes32) returns uint256
    7. 

  7. 	
    8. 

  8. 	snapshot(uint256) returns uint64 envfree
    9. 

  9.     quorum(uint256) returns uint256 envfree
    10. 

  10.     proposalVotes(uint256) returns (uint256, uint256, uint256) envfree
    11. 

  11. 

  12.     getVotes(address, uint256) returns uint256 envfree
    13. 

  13.     //getVotes(address, uint256) => CONSTANT
    14. 

  14. }
    15. 

  15. 

  16. //////////////////////////////////////////////////////////////////////////////
    17. 

  17. ///////////////////////////////// GHOSTS /////////////////////////////////////
    18. 

  18. //////////////////////////////////////////////////////////////////////////////
    19. 

  19. 

  20. ghost hasVoteGhost(uint256) returns uint256 {
    21. 

  21.     init_state axiom forall uint256 pId. hasVoteGhost(pId) == 0;
    22. 

  22. }
    23. 

  23. 

  24. hook Sstore _proposalVotes[KEY uint256 pId].hasVoted[KEY address user] bool current_voting_State (bool old_voting_state) STORAGE{
    25. 

  25.     havoc hasVoteGhost assuming forall uint256 p. ((p == pId && current_voting_State && !old_voting_state) ? (hasVoteGhost@new(p) == hasVoteGhost@old(p) + 1)  :
    26. 

  26.                                                   (hasVoteGhost@new(p) == hasVoteGhost@old(p)));
    27. 

  27. }
    28. 

  28. 

  29. ghost sum_all_votes_power() returns uint256 {
    30. 

  30. 	init_state axiom sum_all_votes_power() == 0;
    31. 

  31. }
    32. 

  32. 

  33. hook Sstore ghost_sum_vote_power_by_id [KEY uint256 pId] uint256 current_power(uint256 old_power) STORAGE {
    34. 

  34. 	havoc sum_all_votes_power assuming sum_all_votes_power@new() == sum_all_votes_power@old() - old_power + current_power;
    35. 

  35. }
    36. 

  36. 

  37. ghost tracked_weight(uint256) returns uint256 {
    38. 

  38. 	init_state axiom forall uint256 p. tracked_weight(p) == 0;
    39. 

  39. }
    40. 

  40. ghost sum_tracked_weight() returns uint256 {
    41. 

  41. 	init_state axiom sum_tracked_weight() == 0;
    42. 

  42. }
    43. 

  43. 

  44. ghost votesAgainst() returns uint256 {
    45. 

  45.     init_state axiom votesAgainst() == 0;
    46. 

  46. }
    47. 

  47. 

  48. ghost votesFor() returns uint256 {
    49. 

  49.     init_state axiom votesFor() == 0;
    50. 

  50. }
    51. 

  51. 

  52. ghost votesAbstain() returns uint256 {
    53. 

  53.     init_state axiom votesAbstain() == 0;
    54. 

  54. }
    55. 

  55. 

  56. hook Sstore _proposalVotes [KEY uint256 pId].againstVotes uint256 votes(uint256 old_votes) STORAGE {
    57. 

  57. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    58. 

  58. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    59. 

  59. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    60. 

  60.     havoc votesAgainst assuming votesAgainst@new() == votesAgainst@old() - old_votes + votes;
    61. 

  61. }
    62. 

  62. 

  63. hook Sstore _proposalVotes [KEY uint256 pId].forVotes uint256 votes(uint256 old_votes) STORAGE {
    64. 

  64. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    65. 

  65. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    66. 

  66. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    67. 

  67.     havoc votesFor assuming votesFor@new() == votesFor@old() - old_votes + votes;
    68. 

  68. }
    69. 

  69. 

  70. hook Sstore _proposalVotes [KEY uint256 pId].abstainVotes uint256 votes(uint256 old_votes) STORAGE {
    71. 

  71. 	havoc tracked_weight assuming forall uint256 p.(p == pId => tracked_weight@new(p) == tracked_weight@old(p) - old_votes + votes) &&
    72. 

  72. 	                                            (p != pId => tracked_weight@new(p) == tracked_weight@old(p));
    73. 

  73. 	havoc sum_tracked_weight assuming sum_tracked_weight@new() == sum_tracked_weight@old() - old_votes + votes;
    74. 

  74.     havoc votesAbstain assuming votesAbstain@new() == votesAbstain@old() - old_votes + votes;
    75. 

  75. }
    76. 

  76. 

  77. /*
    78. 

  78. ghost totalVotesPossible(uint256) returns uint256 {
    79. 

  79. 	init_state axiom forall uint256 bn. totalVotesPossible(bn) == 0;
    80. 

  80. }
    81. 

  81. 

  82. ghost possibleMaxOfVoters(uint256) returns uint256{
    83. 

  83.     init_state axiom forall uint256 pId. possibleMaxOfVoters(pId) == 0;
    84. 

  84. }
    85. 

  85. 

  86. hook Sstore _getVotes[KEY address uId][KEY uint256 blockNumber] uint256 voteWeight(uint256 old_voteWeight) STORAGE {
    87. 

  87. 	havoc totalVotesPossible assuming forall uint256 bn.
    88. 

  88. 	                                (bn == blockNumber => totalVotesPossible@new(bn) == totalVotesPossible@old(bn) - old_voteWeight + voteWeight)
    89. 

  89. 	                                && (bn != blockNumber => totalVotesPossible@new(bn) == totalVotesPossible@old(bn));
    90. 

  90.     //somehow havoc possibleMaxOfVoters based on scheme. Probably can be implemented if previous havoc is possible
    91. 

  91. }
    92. 

  92. */
    93. 

  93. /*
    94. 

  94. _proposalVotes[pId].hasVoted[account] -> bool
    95. 

  95. 								^
    96. 

  96. 								|
    97. 

  97. 					go through all accounts,
    98. 

  98. 					if true =>
    99. 

  99. possibleMaxOfVoters(pId) += getVotes(pId, acount);
    100. 

  100. */
    101. 

  101. 

  102. //////////////////////////////////////////////////////////////////////////////
    103. 

  103. ////////////////////////////// INVARIANTS ////////////////////////////////////
    104. 

  104. //////////////////////////////////////////////////////////////////////////////
    105. 

  105. 

  106. 

  107. /*
    108. 

  108.  * sum of all votes casted is equal to the sum of voting power of those who voted, per each proposal
    109. 

  109.  */
    110. 

  110. invariant SumOfVotesCastEqualSumOfPowerOfVotedPerProposal(uint256 pId) 
    111. 

  111. 	tracked_weight(pId) == ghost_sum_vote_power_by_id(pId)
    112. 

  112. 		
    113. 

  113. /*
    114. 

  114.  * sum of all votes casted is equal to the sum of voting power of those who voted
    115. 

  115.  */
    116. 

  116. invariant SumOfVotesCastEqualSumOfPowerOfVoted() 
    117. 

  117. 	sum_tracked_weight() == sum_all_votes_power()
    118. 

  118. 		
    119. 

  119. /*
    120. 

  120. * totalVoted >= vote(id)
    121. 

  121. */
    122. 

  122. invariant OneIsNotMoreThanAll(uint256 pId) 
    123. 

  123. 	sum_all_votes_power() >= tracked_weight(pId)
    124. 

  124. 

  125. 

  126. //NEED GHOST FIX	
    127. 

  127. /*
    128. 

  128. * totalVotesPossible >= votePower(id)
    129. 

  129. */
    130. 

  130. //invariant possibleTotalVotes(uint256 pId) 
    131. 

  131. //	tracked_weight(pId) <= totalVotesPossible(snapshot(pId))
    132. 

  132. 

  133. /*
    134. 

  134. * totalVotesPossible >= votePower(id)
    135. 

  135. */
    136. 

  136. // invariant possibleTotalVotes(uint pId)
    137. 

  137. //invariant trackedVsTotal(uint256 pId) 
    138. 

  138. //	tracked_weight(pId) <= possibleMaxOfVoters(pId)
    139. 

  139. 

  140. 

  141. /*
    142. 

  142. rule someOtherRuleToRemoveLater(uint256 num){
    143. 

  143.     env e; calldataarg args; method f;
    144. 

  144.     uint256 x = hasVoteGhost(num);
    145. 

  145.     f(e, args);
    146. 

  146.     assert(false);
    147. 

  147. }
    148. 

  148. */
    149. 

  149. 

  150. 

  151. rule oneUserVotesInCast(uint256 pId, method f) filtered { f -> ((f.selector == castVote(uint256, uint8).selector) || 
    152. 

  152.                                                                 f.selector == castVoteBySig(uint256, uint8, uint8, bytes32, bytes32).selector) }{
    153. 

  153.     env e; calldataarg args;
    154. 

  154.     uint256 ghost_Before = hasVoteGhost(pId);
    155. 

  155.     f(e, args);
    156. 

  156.     uint256 ghost_After = hasVoteGhost(pId);
    157. 

  157.     assert(ghost_After == ghost_Before + 1, "Raised by more than 1");
    158. 

  158. }
    159. 

  159. 

  160. 

  161. rule noVoteForSomeoneElse(uint256 pId, uint8 support){
    162. 

  162.     env e;
    163. 

  163.     uint256 voter = e.msg.sender;
    164. 

  164.     castVote(e, pId, support);
    165. 

  165. 

  166. }
    167. 

  167. 

  168. 

  169. //ok
    170. 

  170. rule votingWeightMonotonicity(method f){
    171. 

  171.     uint256 votingWeightBefore = sum_tracked_weight();
    172. 

  172. 

  173.     env e; 
    174. 

  174.     calldataarg args;
    175. 

  175.     f(e, args);
    176. 

  176. 

  177.     uint256 votingWeightAfter = sum_tracked_weight();
    178. 

  178. 

  179.     assert votingWeightBefore <= votingWeightAfter, "Voting weight was decreased somehow";
    180. 

  180. }
    181. 

  181. 

  182. // timeouts and strange violations
    183. 

  183. // https://vaas-stg.certora.com/output/3106/23f63c84c58b06285f4f/?anonymousKey=e5a7dc2e0ce7829cf5af8eb29a4ba231d915704c
    184. 

  184. rule quorumMonotonicity(method f, uint256 blockNumber){
    185. 

  185.     uint256 quorumBefore = quorum(blockNumber);
    186. 

  186. 

  187.     env e; 
    188. 

  188.     calldataarg args;
    189. 

  189.     f(e, args);
    190. 

  190. 

  191.     uint256 quorumAfter = quorum(blockNumber);
    192. 

  192. 

  193.     assert quorumBefore <= quorumAfter, "Quorum was decreased somehow";
    194. 

  194. }
    195. 

  195. 

  196. // getVotes() returns different results.
    197. 

  197. // are we assuming that a person with 0 votes can vote? are we assuming that a person may have 0 votes
    198. 

  198. // it seems like a weight can be 0. At least there is no check for it
    199. 

  199. // If it can be 0 then < should be changed to <= but it gives less coverage
    200. 

  200. rule hasVotedCorrelation(uint256 pId, method f, address acc, env e){
    201. 

  201.     uint256 againstBefore = votesAgainst();
    202. 

  202.     uint256 forBefore = votesFor();
    203. 

  203.     uint256 abstainBefore = votesAbstain();
    204. 

  204.     //againstBefore, forBefore, abstainBefore = proposalVotes(pId);
    205. 

  205. 

  206.     bool hasVotedBefore = hasVoted(e, pId, acc);
    207. 

  207.     uint256 votesBefore = getVotes(acc, pId);
    208. 

  208.     require votesBefore > 0;
    209. 

  209. 

  210.     calldataarg args;
    211. 

  211.     f(e, args);
    212. 

  212. 

  213.     uint256 againstAfter = votesAgainst();
    214. 

  214.     uint256 forAfter = votesFor();
    215. 

  215.     uint256 abstainAfter = votesAbstain();
    216. 

  216.     //againstAfter, forAfter, abstainAfter = proposalVotes(pId);
    217. 

  217. 

  218.     uint256 votesAfter = getVotes(acc, pId);
    219. 

  219.     bool hasVotedAfter = hasVoted(e, pId, acc);
    220. 

  220. 

  221.     assert hasVotedBefore != hasVotedAfter => againstBefore < againstAfter || forBefore < forAfter || abstainBefore < abstainAfter, "no correlation";
    222. 

  222. }
    223. 

  223. 

  224.