GitBross Home Explore Help
Register Sign In
sol_Bo8des9o
/
openzeppelin-contracts
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d98d9c03f3
Branches Tags
openzeppelin-co...
/
certora
/
specs
/
TimelockController.spec

TimelockController.spec 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323 
  1. methods {
    2. 

  2.     getTimestamp(bytes32) returns(uint256) envfree
    3. 

  3.     _DONE_TIMESTAMP() returns(uint256) envfree
    4. 

  4.     PROPOSER_ROLE() returns(bytes32) envfree
    5. 

  5.     _minDelay() returns(uint256) envfree
    6. 

  6.     getMinDelay() returns(uint256) envfree
    7. 

  7.     hashOperation(address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt) returns(bytes32) envfree
    8. 

  8.     isOperation(bytes32) returns(bool) envfree
    9. 

  9.     isOperationPending(bytes32) returns(bool) envfree
    10. 

  10.     isOperationDone(bytes32) returns(bool) envfree
    11. 

  11. 

  12.     isOperationReady(bytes32) returns(bool)
    13. 

  13.     cancel(bytes32)
    14. 

  14.     schedule(address, uint256, bytes32, bytes32, bytes32, uint256)
    15. 

  15.     execute(address, uint256, bytes, bytes32, bytes32)
    16. 

  16.     executeBatch(address[], uint256[], bytes[], bytes32, bytes32)
    17. 

  17.     _checkRole(bytes32) => DISPATCHER(true)
    18. 

  18. }
    19. 

  19. 

  20. 

  21. 

  22. ////////////////////////////////////////////////////////////////////////////
    23. 

  23. //                         Functions                                      //
    24. 

  24. ////////////////////////////////////////////////////////////////////////////
    25. 

  25. 

  26. 

  27. function hashIdCorrelation(bytes32 id, address target, uint256 value, bytes data, bytes32 predecessor, bytes32 salt){
    28. 

  28.     require data.length < 32;
    29. 

  29.     require hashOperation(target, value, data, predecessor, salt) == id;
    30. 

  30. }
    31. 

  31. 

  32. 

  33. 

  34. ////////////////////////////////////////////////////////////////////////////
    35. 

  35. //                         Invariants                                     //
    36. 

  36. ////////////////////////////////////////////////////////////////////////////
    37. 

  37. 

  38. 

  39. // STATUS - verified
    40. 

  40. // `isOperation()` correctness check
    41. 

  41. invariant operationCheck(bytes32 id)
    42. 

  42.     getTimestamp(id) > 0 <=> isOperation(id)
    43. 

  43. filtered { f -> !f.isView }
    44. 

  44. 

  45. // STATUS - verified
    46. 

  46. // `isOperationPending()` correctness check
    47. 

  47. invariant pendingCheck(bytes32 id)
    48. 

  48.     getTimestamp(id) > _DONE_TIMESTAMP() <=> isOperationPending(id)
    49. 

  49. filtered { f -> !f.isView }
    50. 

  50. 

  51. // STATUS - verified
    52. 

  52. // `isOperationReady()` correctness check
    53. 

  53. invariant readyCheck(env e, bytes32 id)
    54. 

  54.     (e.block.timestamp >= getTimestamp(id) && getTimestamp(id) > 1) <=> isOperationReady(e, id)
    55. 

  55. filtered { f -> !f.isView }
    56. 

  56. 

  57. // STATUS - verified
    58. 

  58. // `isOperationDone()` correctness check
    59. 

  59. invariant doneCheck(bytes32 id)
    60. 

  60.     getTimestamp(id) == _DONE_TIMESTAMP() <=> isOperationDone(id)
    61. 

  61. filtered { f -> !f.isView }
    62. 

  62. 

  63. 

  64. ////////////////////////////////////////////////////////////////////////////
    65. 

  65. //                            Rules                                       //
    66. 

  66. ////////////////////////////////////////////////////////////////////////////
    67. 

  67. 

  68. 

  69. /////////////////////////////////////////////////////////////
    70. 

  70. // STATE TRANSITIONS
    71. 

  71. /////////////////////////////////////////////////////////////
    72. 

  72. 

  73. 

  74. // STATUS - verified
    75. 

  75. // Possible transitions: form `!isOperation()` to `!isOperation()` or `isOperationPending()` only
    76. 

  76. rule unsetPendingTransitionGeneral(method f, env e){
    77. 

  77.     bytes32 id;
    78. 

  78. 

  79.     require !isOperation(id);
    80. 

  80.     require e.block.timestamp > 1;
    81. 

  81. 

  82.     calldataarg args;
    83. 

  83.     f(e, args);
    84. 

  84. 

  85.     assert isOperationPending(id) || !isOperation(id);
    86. 

  86. }
    87. 

  87. 

  88. 

  89. // STATUS - verified
    90. 

  90. // Possible transitions: form `!isOperation()` to `isOperationPending()` via `schedule()` and `scheduleBatch()` only
    91. 

  91. rule unsetPendingTransitionMethods(method f, env e){
    92. 

  92.     bytes32 id;
    93. 

  93. 

  94.     require !isOperation(id);
    95. 

  95. 

  96.     calldataarg args;
    97. 

  97.     f(e, args);
    98. 

  98. 

  99.     assert isOperationPending(id) => (f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector 
    100. 

  100.                                 || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector), "Why do we need to follow the schedule?";
    101. 

  101. }
    102. 

  102. 

  103. 

  104. // STATUS - verified
    105. 

  105. // Possible transitions: form `ready()` to `isOperationDone()` via `execute()` and `executeBatch()` only
    106. 

  106. rule readyDoneTransition(method f, env e){
    107. 

  107.     bytes32 id;
    108. 

  108. 

  109.     require isOperationReady(e, id);
    110. 

  110. 

  111.     calldataarg args;
    112. 

  112.     f(e, args);
    113. 

  113. 

  114.     assert isOperationDone(id) => f.selector == execute(address, uint256, bytes, bytes32, bytes32).selector  
    115. 

  115.                                 || f.selector == executeBatch(address[], uint256[], bytes[], bytes32, bytes32).selector , "It's not isOperationDone yet!";
    116. 

  116. }
    117. 

  117. 

  118. 

  119. // STATUS - verified
    120. 

  120. // isOperationPending() -> cancelled() via cancel() only
    121. 

  121. rule pendingCancelledTransition(method f, env e){
    122. 

  122.     bytes32 id;
    123. 

  123. 

  124.     require isOperationPending(id);
    125. 

  125. 

  126.     calldataarg args;
    127. 

  127.     f(e, args);
    128. 

  128. 

  129.     assert !isOperation(id) => f.selector == cancel(bytes32).selector, "How you dare to cancel me?";
    130. 

  130. }
    131. 

  131. 

  132. 

  133. // STATUS - verified
    134. 

  134. // isOperationDone() -> nowhere
    135. 

  135. rule doneToNothingTransition(method f, env e){
    136. 

  136.     bytes32 id;
    137. 

  137. 

  138.     require isOperationDone(id);
    139. 

  139. 

  140.     calldataarg args;
    141. 

  141.     f(e, args);
    142. 

  142. 

  143.     assert isOperationDone(id), "Did you find a way to escape? There is no way! HA-HA-HA";
    144. 

  144. }
    145. 

  145. 

  146. 

  147. 

  148. /////////////////////////////////////////////////////////////
    149. 

  149. // THE REST
    150. 

  150. /////////////////////////////////////////////////////////////
    151. 

  151. 

  152. 

  153. // STATUS - verified
    154. 

  154. // only TimelockController contract can change minDelay
    155. 

  155. rule minDelayOnlyChange(method f, env e){
    156. 

  156.     uint256 delayBefore = _minDelay();    
    157. 

  157. 

  158.     calldataarg args;
    159. 

  159.     f(e, args);
    160. 

  160. 

  161.     uint256 delayAfter = _minDelay();
    162. 

  162. 

  163.     assert delayBefore != delayAfter => e.msg.sender == currentContract, "You cannot change your destiny! Only I can!";
    164. 

  164. }
    165. 

  165. 

  166. 

  167. // STATUS - verified
    168. 

  168. // scheduled operation timestamp == block.timestamp + delay (kind of unit test)
    169. 

  169. rule scheduleCheck(method f, env e){
    170. 

  170.     bytes32 id;
    171. 

  171. 

  172.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    173. 

  173. 

  174.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    175. 

  175. 

  176.     schedule(e, target, value, data, predecessor, salt, delay);
    177. 

  177. 

  178.     assert getTimestamp(id) == to_uint256(e.block.timestamp + delay), "Time doesn't obey to mortal souls";
    179. 

  179. }
    180. 

  180. 

  181. 

  182. // STATUS - verified
    183. 

  183. // Cannot call `execute()` on a isOperationPending (not ready) operation
    184. 

  184. rule cannotCallExecute(method f, env e){
    185. 

  185.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    186. 

  186.     bytes32 id;
    187. 

  187. 

  188.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    189. 

  189.     require isOperationPending(id) && !isOperationReady(e, id);
    190. 

  190. 

  191.     execute@withrevert(e, target, value, data, predecessor, salt);
    192. 

  192. 

  193.     assert lastReverted, "you go against execution nature";
    194. 

  194. }
    195. 

  195. 

  196. 

  197. // STATUS - verified
    198. 

  198. // Cannot call `execute()` on a !isOperation operation
    199. 

  199. rule executeRevertsFromUnset(method f, env e, env e2){
    200. 

  200.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    201. 

  201.     bytes32 id;
    202. 

  202. 

  203.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    204. 

  204.     require !isOperation(id);
    205. 

  205. 

  206.     execute@withrevert(e, target, value, data, predecessor, salt);
    207. 

  207. 

  208.     assert lastReverted, "you go against execution nature";
    209. 

  209. }
    210. 

  210. 

  211. 

  212. // STATUS - verified
    213. 

  213. // Execute reverts => state returns to isOperationPending
    214. 

  214. rule executeRevertsEffectCheck(method f, env e){
    215. 

  215.     address target; uint256 value; bytes data; bytes32 predecessor; bytes32 salt;
    216. 

  216.     bytes32 id;
    217. 

  217. 

  218.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    219. 

  219.     require isOperationPending(id) && !isOperationReady(e, id);
    220. 

  220. 

  221.     execute@withrevert(e, target, value, data, predecessor, salt);
    222. 

  222.     bool reverted = lastReverted;
    223. 

  223. 

  224.     assert lastReverted => isOperationPending(id) && !isOperationReady(e, id), "you go against execution nature";
    225. 

  225. }
    226. 

  226. 

  227. 

  228. // STATUS - verified
    229. 

  229. // Canceled operations cannot be executed → can’t move from canceled to isOperationDone
    230. 

  230. rule cancelledNotExecuted(method f, env e){
    231. 

  231.     bytes32 id;
    232. 

  232. 

  233.     require !isOperation(id);
    234. 

  234.     require e.block.timestamp > 1;
    235. 

  235. 

  236.     calldataarg args;
    237. 

  237.     f(e, args);
    238. 

  238. 

  239.     assert !isOperationDone(id), "The ship is not a creature of the air";
    240. 

  240. }
    241. 

  241. 

  242. 

  243. // STATUS - verified
    244. 

  244. // Only proposers can schedule
    245. 

  245. rule onlyProposer(method f, env e) filtered { f -> f.selector == schedule(address, uint256, bytes, bytes32, bytes32, uint256).selector
    246. 

  246.                                                     || f.selector == scheduleBatch(address[], uint256[], bytes[], bytes32, bytes32, uint256).selector } {
    247. 

  247.     bytes32 id;
    248. 

  248.     bytes32 role;
    249. 

  249.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    250. 

  250. 

  251.     _checkRole@withrevert(e, PROPOSER_ROLE());
    252. 

  252. 

  253.     bool isCheckRoleReverted = lastReverted;
    254. 

  254. 

  255.     calldataarg args;
    256. 

  256.     f@withrevert(e, args);
    257. 

  257. 

  258.     bool isScheduleReverted = lastReverted;
    259. 

  259. 

  260.     assert isCheckRoleReverted => isScheduleReverted, "Enemy was detected";
    261. 

  261. }
    262. 

  262. 

  263. 

  264. // STATUS - verified
    265. 

  265. // if `ready` then has waited minimum period after isOperationPending() 
    266. 

  266. rule cooldown(method f, env e, env e2){
    267. 

  267.     bytes32 id;
    268. 

  268.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    269. 

  269.     uint256 minDelay = getMinDelay();
    270. 

  270. 

  271.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    272. 

  272. 

  273.     schedule(e, target, value, data, predecessor, salt, delay);
    274. 

  274. 

  275.     calldataarg args;
    276. 

  276.     f(e, args);
    277. 

  277. 

  278.     assert isOperationReady(e2, id) => (e2.block.timestamp - e.block.timestamp >= minDelay), "No rush! When I'm ready, I'm ready";
    279. 

  279. }
    280. 

  280. 

  281. 

  282. // STATUS - verified
    283. 

  283. // `schedule()` should change only one id's timestamp
    284. 

  284. rule scheduleChange(env e){
    285. 

  285.     bytes32 id;  bytes32 otherId; 
    286. 

  286.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt; uint256 delay;
    287. 

  287. 

  288.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    289. 

  289. 

  290.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    291. 

  291. 

  292.     schedule(e, target, value, data, predecessor, salt, delay);
    293. 

  293. 

  294.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    295. 

  295. }
    296. 

  296. 

  297. 

  298. // STATUS - verified
    299. 

  299. // `execute()` should change only one id's timestamp
    300. 

  300. rule executeChange(env e){
    301. 

  301.     bytes32 id;  bytes32 otherId; 
    302. 

  302.     address target; uint256 value; bytes data ;bytes32 predecessor; bytes32 salt;
    303. 

  303.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    304. 

  304. 

  305.     hashIdCorrelation(id, target, value, data, predecessor, salt);
    306. 

  306. 

  307.     execute(e, target, value, data, predecessor, salt);
    308. 

  308. 

  309.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    310. 

  310. }
    311. 

  311. 

  312. 

  313. // STATUS - verified
    314. 

  314. // `cancel()` should change only one id's timestamp
    315. 

  315. rule cancelChange(env e){
    316. 

  316.     bytes32 id;  bytes32 otherId; 
    317. 

  317. 

  318.     uint256 otherIdTimestampBefore = getTimestamp(otherId);
    319. 

  319. 

  320.     cancel(e, id);
    321. 

  321. 

  322.     assert id != otherId => otherIdTimestampBefore == getTimestamp(otherId), "Master of puppets, I'm pulling your strings";
    323. 

  323. }
    324.