Skip to content

Feat: add Certora specs #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amusingaxl merged 101 commits into from
Aug 4, 2025
Merged

Feat: add Certora specs #7

amusingaxl merged 101 commits into from
Aug 4, 2025

Conversation

@amusingaxl
Copy link
Contributor

@amusingaxl amusingaxl commented Mar 20, 2025

No description provided.

oddaf and others added 30 commits February 14, 2025 00:04
@oddaf
initial implementation
e62ac29
@oddaf @amusingaxl
Update script/input/1/README.md
13e9d95 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/DSPC.sol
2d4ff02 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/DSPC.sol
2bccdbe 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/DSPC.sol
2c3f886 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/DSPC.sol
3c60b1f 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf
refactor: rename function put to set
52a59f7
@oddaf
fix: add check if data can be safely cast to uint16 in file()
c04ef6c
@oddaf
refactor: remove step restriction
d6ff178
@oddaf
chore: forge fmt
b341255
@oddaf
refactor: Update Set event to be emitted for each rate update
917eb4d
@oddaf @amusingaxl
Update src/deployment/DSPCInstance.sol
def70fa 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCInit.sol
9c2898d 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCInit.sol
b6c57c0 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCDeploy.sol
253af36 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCDeploy.sol
45a1834 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCDeploy.sol
cec6dc4 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf @amusingaxl
Update src/deployment/DSPCInit.sol
48b668a 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf
refactor: use addresses instead of interfaces in DSPCInstance to ease…
b9482c3 
… casting
@oddaf
fix: enforce min < max and max > min on file()
2274abe
@oddaf
fix: typo in RelyLike
75211ed
@oddaf @amusingaxl
Update src/DSPC.sol
3d3a515 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf
feat: dspc cooldown + step
b7dadb5
@oddaf
remove unnecessary setup from dspcMom test
0582668
@oddaf
chore: forge fmt
e03048f
@oddaf @amusingaxl
Apply suggestions from code review
d685819 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@oddaf
fix: revert message in test
9dcf622
@oddaf
chore: forge fmt
0a79139
@oddaf
feat: improvements to initialization script
a47d4ff
@oddaf @amusingaxl
Apply suggestions from code review
4077e06 
Co-authored-by: amusingaxl <112016538+amusingaxl@users.noreply.github.com>
Signed-off-by: oddaf <106770775+oddaf@users.noreply.github.com>
@amusingaxl amusingaxl marked this pull request as ready for review March 28, 2025 13:32
pedrobergamini
pedrobergamini previously approved these changes Mar 28, 2025
View reviewed changes
Copy link
Member

@pedrobergamini pedrobergamini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! Just commented an idea on Certora's GH actions workflow

pedrobergamini
pedrobergamini previously approved these changes Apr 2, 2025
View reviewed changes
certora/SPBEAM.spec Outdated
revert7 || revert8 || revert9 ||
revert10,
"set revert rules failed";
revert7 || revert8,
Copy link
Member

@pedrobergamini pedrobergamini Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work on this change

sunbreak1211
sunbreak1211 reviewed Apr 9, 2025
View reviewed changes
sunbreak1211
sunbreak1211 reviewed Apr 9, 2025
View reviewed changes
sunbreak1211
sunbreak1211 reviewed Apr 9, 2025
View reviewed changes
sunbreak1211
sunbreak1211 reviewed Apr 9, 2025
View reviewed changes
sunbreak1211
sunbreak1211 reviewed Apr 9, 2025
View reviewed changes
@sunbreak1211
Copy link
Collaborator

sunbreak1211 commented Apr 9, 2025

Maybe an interesting rule/invariant to do, if you end up having some extra time, would be to prove that after any call to set, the values updated can not end up being outside the min-max range and always respect be restricted by the step.
Then the fix ordering can be roll back and check that the rule would have caught that. In either case those things are also indirectly proved with the current rules so not really mandatory, but I guess it would be a more high level rule that helps guaranteeing those invariants.

@amusingaxl
Copy link
Contributor Author

amusingaxl commented Apr 11, 2025

Maybe an interesting rule/invariant to do, if you end up having some extra time, would be to prove that after any call to set, the values updated can not end up being outside the min-max range and always respect be restricted by the step.

This was added in 67d5fbc.

Then the fix ordering can be roll back and check that the rule would have caught that.

Not entirely sure if I get what you're suggesting here.

Base automatically changed from initial-implementation to master April 22, 2025 12:50
@amusingaxl amusingaxl dismissed pedrobergamini’s stale review April 22, 2025 12:50

The base branch was changed.

pedrobergamini
pedrobergamini reviewed Jun 12, 2025
View reviewed changes
Copy link
Member

@pedrobergamini pedrobergamini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a few questions about the mocks, also, after reviewing the updated rules I thought it could be useful if we added the following one to ensure the config is always consistent:

rule config_min_less_than_max(bytes32 id) {
    uint16 min; uint16 max; uint16 step;
    min, max, step = cfgs(id);
    
    assert min <= max, "Configuration min should always be <= max";
}

certora/mocks/SUsds.sol
// NOTE: using mocked `drip` function because this method is not a subject of the formal verification
// NOTE: this line is needed to prevent `file` above from reverting
rho = uint64(block.timestamp);
// (uint256 chi_, uint256 rho_) = (chi, rho);
Copy link
Member

@pedrobergamini pedrobergamini Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we return chi here? As right now nChi is always == 0?

nChi = uint256(chi)

Copy link
Contributor Author

@amusingaxl amusingaxl Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, the return value is irrelevant to the main subject of the formal verification.
We just need to ensure that the calls to drip() and file() in the underlying contracts don't fail for reasons that are not relevant.

certora/mocks/Jug.sol
// NOTE: this line is needed to prevent `file` above from reverting
ilks[ilk].rho = now;
// require(now >= ilks[ilk].rho, "Jug/invalid-now");
// (, uint prev) = vat.ilks(ilk);
Copy link
Member

@pedrobergamini pedrobergamini Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be better if we returned the current duty instead of 0 here?

function drip(bytes32 ilk) external note returns (uint256 rate) {
    ilks[ilk].rho = now;
    rate = ilks[ilk].duty;  // Return current duty instead of 0
}

Copy link
Contributor Author

@amusingaxl amusingaxl Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

certora/mocks/Pot.sol
// uint chi_ = sub(tmp, chi);
// chi = tmp;
rho = now;
// rho = now;
Copy link
Member

@pedrobergamini pedrobergamini Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question as Jug::drip, would it be better if we returned the dsr value here?

function drip() external note returns (uint256 tmp) {
    rho = now;
    tmp = dsr;  // Return current dsr instead of 0
}

Copy link
Contributor Author

@amusingaxl amusingaxl Jun 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

pedrobergamini
pedrobergamini approved these changes Jun 12, 2025
View reviewed changes
Copy link
Member

@pedrobergamini pedrobergamini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@amusingaxl amusingaxl requested a review from sunbreak1211 June 12, 2025 22:37
@amusingaxl amusingaxl merged commit bc88579 into master Aug 4, 2025
4 checks passed
@amusingaxl amusingaxl deleted the feat/certora-spec branch August 4, 2025 13:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pedrobergamini pedrobergamini pedrobergamini approved these changes

@sunbreak1211 sunbreak1211 Awaiting requested review from sunbreak1211

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@amusingaxl @sunbreak1211 @pedrobergamini @oddaf