| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 |
- import "helpers/helpers.spec"
- import "helpers/Governor.helpers.spec"
- import "GovernorInvariants.spec"
- methods {
- lateQuorumVoteExtension() returns uint64 envfree
- getExtendedDeadline(uint256) returns uint64 envfree
- }
- use invariant proposalStateConsistency
- use invariant votesImplySnapshotPassed
- /*
- โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- โ This is not (easily) provable as an invariant because the prover think `_totalSupplyCheckpoints` can arbitrarily โ
- โ change, which causes the quorum() to change. Not sure how to fix that. โ
- โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- */
- // invariant deadlineExtendedEquivQuorumReached(uint256 pId)
- // getExtendedDeadline(pId) > 0 <=> (quorumReached(pId) && !isCanceled(pId))
- /*
- โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- โ Rule: โ
- โ * Deadline can never be reduced โ
- โ * If deadline increases then we are in `deadlineExtended` state and `castVote` was called. โ
- โ * A proposal's deadline can't change in `deadlineExtended` state. โ
- โ * A proposal's deadline can't be unextended. โ
- โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
- */
- rule deadlineChangeToPreventLateQuorum(uint256 pId, env e, method f, calldataarg args)
- filtered { f -> !assumedSafe(f) }
- {
- require clockSanity(e);
- requireInvariant proposalStateConsistency(pId);
- requireInvariant votesImplySnapshotPassed(e, pId);
- uint256 deadlineBefore = proposalDeadline(pId);
- bool deadlineExtendedBefore = getExtendedDeadline(pId) > 0;
- f(e, args);
- uint256 deadlineAfter = proposalDeadline(pId);
- bool deadlineExtendedAfter = getExtendedDeadline(pId) > 0;
- // deadline can never be reduced
- assert deadlineBefore <= deadlineAfter;
- // deadline can only be extended in proposal or on cast vote
- assert deadlineAfter != deadlineBefore => (
- (
- !deadlineExtendedBefore &&
- !deadlineExtendedAfter &&
- f.selector == propose(address[], uint256[], bytes[], string).selector
- ) || (
- !deadlineExtendedBefore &&
- deadlineExtendedAfter &&
- deadlineAfter == clock(e) + lateQuorumVoteExtension() &&
- votingAll(f)
- )
- );
- // a deadline can only be extended once
- assert deadlineExtendedBefore => deadlineBefore == deadlineAfter;
- // a deadline cannot be un-extended
- assert deadlineExtendedBefore => deadlineExtendedAfter;
- }
|