codex-contracts-eth/certora/specs/Marketplace.spec

using ERC20A as Token;

methods {
    function Token.balanceOf(address) external returns (uint256) envfree;
}

/*--------------------------------------------
|              Ghosts and hooks              |
--------------------------------------------*/

ghost mathint totalReceived;

hook Sload uint256 defaultValue currentContract._marketplaceTotals.received {
    require totalReceived >= to_mathint(defaultValue);
}

hook Sstore currentContract._marketplaceTotals.received uint256 defaultValue (uint256 defaultValue_old) {
    totalReceived = totalReceived + defaultValue - defaultValue_old;
}

ghost mathint totalSent;

hook Sload uint256 defaultValue currentContract._marketplaceTotals.sent {
    require totalSent >= to_mathint(defaultValue);
}

hook Sstore currentContract._marketplaceTotals.sent uint256 defaultValue (uint256 defaultValue_old) {
    totalSent = totalSent + defaultValue - defaultValue_old;
}

function canCancelRequest(method f) returns bool {
    return f.selector == sig:withdrawFunds(Marketplace.RequestId).selector;
}

function canStartRequest(method f) returns bool {
    return f.selector == sig:fillSlot(Marketplace.RequestId, uint256, Marketplace.Groth16Proof).selector;
}

function canFinishRequest(method f) returns bool {
    return f.selector == sig:freeSlot(Marketplace.SlotId).selector;
}

function canFailRequest(method f) returns bool {
    return f.selector == sig:markProofAsMissing(Marketplace.SlotId, Periods.Period).selector || 
        f.selector == sig:freeSlot(Marketplace.SlotId).selector;
}

invariant requestStartedWhenSlotsFilled(env e, Marketplace.RequestId requestId, Marketplace.SlotId slotId)
    to_mathint(currentContract.requestContext(e, requestId).slotsFilled) == to_mathint(currentContract.getRequest(e, requestId).ask.slots) => currentContract.requestState(e, requestId) == Marketplace.RequestState.Started;

/*--------------------------------------------
|                 Properties                 |
--------------------------------------------*/

rule sanity(env e, method f) {
    calldataarg args;
    f(e, args);
    assert true;
    satisfy true;
}

rule totalReceivedCannotDecrease(env e, method f) {
    mathint total_before = totalReceived;

    calldataarg args;
    f(e, args);

    mathint total_after = totalReceived;

    assert total_after >= total_before;
}

rule totalSentCannotDecrease(env e, method f) {
    mathint total_before = totalSent;

    calldataarg args;
    f(e, args);

    mathint total_after = totalSent;

    assert total_after >= total_before;
}

rule allowedRequestStateChanges(env e, method f) {
    calldataarg args;
    Marketplace.RequestId requestId;

    Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);
    f(e, args);
    Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);

    assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Started => requestStateBefore == Marketplace.RequestState.New;
    assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Finished => requestStateBefore == Marketplace.RequestState.Started;
    assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Failed => requestStateBefore == Marketplace.RequestState.Started;
    assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Cancelled => requestStateBefore == Marketplace.RequestState.New;
}

rule functionsCausingRequestStateChanges(env e, method f) {
    calldataarg args;
    Marketplace.RequestId requestId;

    Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);
    f(e, args);
    Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);

    // RequestState.New -> RequestState.Started
    assert requestStateBefore == Marketplace.RequestState.New && requestStateAfter == Marketplace.RequestState.Started => canStartRequest(f);

    // RequestState.Started -> RequestState.Finished
    assert requestStateBefore == Marketplace.RequestState.Started && requestStateAfter == Marketplace.RequestState.Finished => canFinishRequest(f);

    // RequestState.Started -> RequestState.Failed
    assert requestStateBefore == Marketplace.RequestState.Started && requestStateAfter == Marketplace.RequestState.Failed => canFailRequest(f);

    // RequestState.New -> RequestState.Cancelled
    assert requestStateBefore == Marketplace.RequestState.New && requestStateAfter == Marketplace.RequestState.Cancelled => canCancelRequest(f);
}

rule finishedRequestCannotBeStartedAgain(env e, method f) {

    calldataarg args;
    Marketplace.RequestId requestId;

    Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);
    require requestStateBefore == Marketplace.RequestState.Finished;
    f(e, args);
    Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);

    assert requestStateBefore == requestStateAfter;
}
Set up certora and implement first rules (#122) Co-authored-by: 0xb337r007 <0xe4e5@proton.me> Co-authored-by: Adam Uhlíř <adam@uhlir.dev> 2024-07-24 18:50:18 +02:00			`using ERC20A as Token;`

chore: formally verify request state changes This commit adds CVL rule that formally verifies the state changes of any given request in relation to the functions of the contract that can cause them. Closes #128 2024-08-05 16:27:20 +02:00			`methods {`
			`function Token.balanceOf(address) external returns (uint256) envfree;`
			`}`

Set up certora and implement first rules (#122) Co-authored-by: 0xb337r007 <0xe4e5@proton.me> Co-authored-by: Adam Uhlíř <adam@uhlir.dev> 2024-07-24 18:50:18 +02:00			`/*--------------------------------------------`
			`\| Ghosts and hooks \|`
			`--------------------------------------------*/`

			`ghost mathint totalReceived;`

			`hook Sload uint256 defaultValue currentContract._marketplaceTotals.received {`
			`require totalReceived >= to_mathint(defaultValue);`
			`}`

			`hook Sstore currentContract._marketplaceTotals.received uint256 defaultValue (uint256 defaultValue_old) {`
			`totalReceived = totalReceived + defaultValue - defaultValue_old;`
			`}`

			`ghost mathint totalSent;`

			`hook Sload uint256 defaultValue currentContract._marketplaceTotals.sent {`
			`require totalSent >= to_mathint(defaultValue);`
			`}`

			`hook Sstore currentContract._marketplaceTotals.sent uint256 defaultValue (uint256 defaultValue_old) {`
			`totalSent = totalSent + defaultValue - defaultValue_old;`
			`}`

chore: formally verify request state changes This commit adds CVL rule that formally verifies the state changes of any given request in relation to the functions of the contract that can cause them. Closes #128 2024-08-05 16:27:20 +02:00			`function canCancelRequest(method f) returns bool {`
			`return f.selector == sig:withdrawFunds(Marketplace.RequestId).selector;`
			`}`

			`function canStartRequest(method f) returns bool {`
			`return f.selector == sig:fillSlot(Marketplace.RequestId, uint256, Marketplace.Groth16Proof).selector;`
			`}`

			`function canFinishRequest(method f) returns bool {`
			`return f.selector == sig:freeSlot(Marketplace.SlotId).selector;`
			`}`

			`function canFailRequest(method f) returns bool {`
			`return f.selector == sig:markProofAsMissing(Marketplace.SlotId, Periods.Period).selector \|\|`
			`f.selector == sig:freeSlot(Marketplace.SlotId).selector;`
			`}`

			`invariant requestStartedWhenSlotsFilled(env e, Marketplace.RequestId requestId, Marketplace.SlotId slotId)`
			`to_mathint(currentContract.requestContext(e, requestId).slotsFilled) == to_mathint(currentContract.getRequest(e, requestId).ask.slots) => currentContract.requestState(e, requestId) == Marketplace.RequestState.Started;`

Set up certora and implement first rules (#122) Co-authored-by: 0xb337r007 <0xe4e5@proton.me> Co-authored-by: Adam Uhlíř <adam@uhlir.dev> 2024-07-24 18:50:18 +02:00			`/*--------------------------------------------`
			`\| Properties \|`
			`--------------------------------------------*/`

			`rule sanity(env e, method f) {`
			`calldataarg args;`
			`f(e, args);`
			`assert true;`
			`satisfy true;`
			`}`

			`rule totalReceivedCannotDecrease(env e, method f) {`
			`mathint total_before = totalReceived;`

			`calldataarg args;`
			`f(e, args);`

			`mathint total_after = totalReceived;`

			`assert total_after >= total_before;`
			`}`

			`rule totalSentCannotDecrease(env e, method f) {`
			`mathint total_before = totalSent;`

			`calldataarg args;`
			`f(e, args);`

			`mathint total_after = totalSent;`

			`assert total_after >= total_before;`
			`}`
chore: formally verify request state changes This commit adds CVL rule that formally verifies the state changes of any given request in relation to the functions of the contract that can cause them. Closes #128 2024-08-05 16:27:20 +02:00
			`rule allowedRequestStateChanges(env e, method f) {`
			`calldataarg args;`
			`Marketplace.RequestId requestId;`

			`Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);`
			`f(e, args);`
			`Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);`

			`assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Started => requestStateBefore == Marketplace.RequestState.New;`
			`assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Finished => requestStateBefore == Marketplace.RequestState.Started;`
			`assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Failed => requestStateBefore == Marketplace.RequestState.Started;`
			`assert requestStateBefore != requestStateAfter && requestStateAfter == Marketplace.RequestState.Cancelled => requestStateBefore == Marketplace.RequestState.New;`
			`}`

			`rule functionsCausingRequestStateChanges(env e, method f) {`
			`calldataarg args;`
			`Marketplace.RequestId requestId;`

			`Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);`
			`f(e, args);`
			`Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);`

			`// RequestState.New -> RequestState.Started`
			`assert requestStateBefore == Marketplace.RequestState.New && requestStateAfter == Marketplace.RequestState.Started => canStartRequest(f);`

			`// RequestState.Started -> RequestState.Finished`
			`assert requestStateBefore == Marketplace.RequestState.Started && requestStateAfter == Marketplace.RequestState.Finished => canFinishRequest(f);`

			`// RequestState.Started -> RequestState.Failed`
			`assert requestStateBefore == Marketplace.RequestState.Started && requestStateAfter == Marketplace.RequestState.Failed => canFailRequest(f);`

			`// RequestState.New -> RequestState.Cancelled`
			`assert requestStateBefore == Marketplace.RequestState.New && requestStateAfter == Marketplace.RequestState.Cancelled => canCancelRequest(f);`
			`}`

			`rule finishedRequestCannotBeStartedAgain(env e, method f) {`

			`calldataarg args;`
			`Marketplace.RequestId requestId;`

			`Marketplace.RequestState requestStateBefore = currentContract.requestState(e, requestId);`
			`require requestStateBefore == Marketplace.RequestState.Finished;`
			`f(e, args);`
			`Marketplace.RequestState requestStateAfter = currentContract.requestState(e, requestId);`

			`assert requestStateBefore == requestStateAfter;`
			`}`