review governance spec #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gadicer
reviewed
Nov 23, 2023
gadicer
reviewed
Nov 23, 2023
| => getPayloadLength(proposalId) > 0 | ||
|
|
||
| Can this be an issue? | ||
| usually time dependnet properties should be proven as a rule |
gadicer
reviewed
Nov 23, 2023
|
|
||
| getProposalStateVariable(proposalId) != getProposalState(e,proposalId) | ||
|
|
||
| I see many of our rules are on getProposalState() and some are also on getProposalStateVariable() but when and why? |
There was a problem hiding this comment.
We really need getProposalState() - that's the contract function that retrieves the state. All contract functions use this function.
getProposalStateVariable() is a getter to the storage. It's an extra check.
gadicer
reviewed
Nov 26, 2023
| @@ -222,7 +246,10 @@ rule proposal_after_voting_portal_invalidate{ | |||
| IGovernanceCore.State state_after = getProposalState(e3, proposalId); | |||
|
|
|||
| assert !voting_portal_approved_after => (state_before != state_after => isTerminalState(state_after)); | |||
|
|
|||
| /* ND- what about the other direction | |||
There was a problem hiding this comment.
The 2 properties are equivalent.
P1: !voting_portal_approved_after => (state_before != state_after => isTerminalState(state_after))
P2: (state_before != state_after && !isTerminalState(state_after)) => voting_portal_approved_after
They have the same truth table.
voting_portal_approved_after | state_before != state_after | isTerminalState(state_after) | P1 | P2
0 | 0 | 0 | T | T
0 | 0 | 1 | T | T
0 | 1 | 0 | F | F
0 | 1 | 1 | T | T
1 | 0 | 0 | T | T
1 | 0 | 1 | T | T
1 | 1 | 0 | T | T
1 | 1 | 1 | T | T
There was a problem hiding this comment.
not easy to see that so maybe just add a comment that this is also implied by this rule
gadicer
reviewed
Nov 26, 2023
gadicer
reviewed
Nov 26, 2023
gadicer
reviewed
Nov 26, 2023
| require state1 != state2; | ||
| require creator_power <= voting_config_min_power; | ||
| assert state2 == IGovernanceCore.State.Cancelled || state2 == IGovernanceCore.State.Failed; | ||
|
|
||
| } | ||
|
|
||
| //pass | ||
| /* ND - is insufficient_proposition_power jsut a subcase of insufficient_proposition_power_allow_time_elapse? | ||
| ok to have both but maybe share the code in cvl function ? */ |
gadicer
reviewed
Nov 26, 2023
gadicer
reviewed
Nov 26, 2023
| @@ -266,7 +304,10 @@ rule insufficient_proposition_power_allow_time_elapse(method f) filtered { f -> | |||
| state2 == IGovernanceCore.State.Cancelled || state2 == IGovernanceCore.State.Failed || state2 == IGovernanceCore.State.Expired; | |||
|
|
|||
| } | |||
| /* | |||
| ND: missign rule that only state_advancing_function are indeed such | |||
There was a problem hiding this comment.
rule state_changing_function_self_check checks that
gadicer
reviewed
Nov 26, 2023
gadicer
reviewed
Nov 26, 2023
| @@ -283,17 +324,19 @@ rule insufficient_proposition_power_time_elapsed_tight_witness(method f) filtere | |||
|
|
|||
| require state1 != state2; | |||
| require creator_power <= (voting_config_min_power); | |||
| /* so you are looking for state2 == IGovernanceCore.State.Expired ? why not just satisfy that ? */ | |||
gadicer
reviewed
Nov 26, 2023
|
Thinking about missing specs: I wonder if the following mutations will be caught:
|
gadicer
reviewed
Nov 28, 2023
| @@ -668,7 +715,8 @@ filtered {f -> !f.isView} | |||
| f(e2, args); | |||
| uint40 voting_activation_time_after = getProposalVotingActivationTime(proposalId); | |||
| bytes32 snapshot_blockhash_after = getProposalSnapshotBlockHash(proposalId); | |||
|
|
|||
| /* ND - we are not proving the "can only be set once... " we are proving "can not be changed after activateVoting" | |||
| either rephrase of add a satisfy rule that shows it can be set */ | |||
gadicer
reviewed
Nov 28, 2023
| @@ -725,7 +773,7 @@ rule proposal_executes_after_cooldown_period(){ | |||
| // From its perspective, execution is sent to a Portal. | |||
| //Property #18: VOTING_TOKENS_CAP in GovernanceCore should be big enough to account for tokens that need to pass multiple slots, | |||
| // and big enough for at least mig to long term | |||
|
|
|||
| // ND - what are the above 16 - 18 properties? | |||
There was a problem hiding this comment.
Property #17 We summarize CrossChainForwarder.forwardMessage to NONDET. This function sends payloads to execution chain, and it's called by executeProposal(). I added a comment about the summarization to the "assumptions and simplifications" section of the report. So the property seems to hold.
Property #18: VOTING_TOKENS_CAP is not relevant anymore, the constant is not used now. I'll notify the customer.
gadicer
reviewed
Nov 28, 2023
| invariant cancellationFeeZeroForFutureProposals(uint256 proposalId) | ||
| proposalId >= getProposalCount() => getProposalCancellationFee(proposalId) == 0; | ||
|
|
||
| // Property: eth balance can cover the total cancellation fee of users | ||
| invariant totalCancellationFeeEqualETHBalance() | ||
| // ND - the report regard fee of live proposals, this is all proposals, no? |
gadicer
reviewed
Nov 28, 2023
| @@ -871,6 +921,7 @@ rule userFeeDidntChangeImplyNativeBalanceDidntDecrease(){ | |||
| // | |||
|
|
|||
| // A voter cannot represent himself | |||
| // ND - this is not in the report, why? | |||
gadicer
reviewed
Nov 28, 2023
| @@ -176,20 +196,20 @@ invariant creator_is_not_zero_2(uint256 proposalId) | |||
| invariant empty_payloads_iff_uninitialized_proposal(uint256 proposalId) | |||
| proposalId >= getProposalsCount() <=> getPayloadLength(proposalId) == 0; | |||
|
|
|||
| /* ND - this is just a subset of the above ? */ | |||
gadicer
reviewed
Nov 28, 2023
| invariant null_state_if_uninitialized_proposal(env e, uint256 proposalId) | ||
| proposalId >= getProposalsCount() => getProposalState(e, proposalId) == IGovernanceCore.State.Null; | ||
|
|
||
| /* ND - subset of null_state_variable_iff_uninitialized_proposal */ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
my review:
notice that some comments are regarding the pdf verification report