Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Certora] Handle overflows #105

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Certora] Handle overflows #105

wants to merge 3 commits into from

Conversation

colin-morpho
Copy link
Contributor

@colin-morpho colin-morpho commented Dec 16, 2024
edited
Loading

Replace absurd revert conditions with safe requirements that have been proven.
Fixes a very small typo in the certora/README.md.
Closes #97.

@colin-morpho colin-morpho linked an issue Dec 16, 2024 that may be closed by this pull request
[Certora] Check underflow and overflows. #97
Open
@colin-morpho colin-morpho self-assigned this Dec 16, 2024
MathisGD
MathisGD previously approved these changes Dec 16, 2024
View reviewed changes
@colin-morpho
Copy link
Contributor Author

I think it's even possible to actually require the invariants themselves.

QGarchery
QGarchery requested changes Dec 16, 2024
View reviewed changes
Copy link
Contributor

@QGarchery QGarchery left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great, but it seems like there are more of the same to do in MintBurn specification. For example:

morpho-token/certora/specs/MintBurnEthereum.spec

Line 80 in 2ebbdff

toVotingPowerBefore + amount > max_uint256;

@colin-morpho
Copy link
Contributor Author

colin-morpho commented Dec 16, 2024
edited
Loading

I think it's even possible to actually require the invariants themselves.

Actually it isn't because the invriants require the munging setup which introduce new possible owerflows related to the zero virtual voting power.

toVotingPowerBefore + amount > max_uint256;

@QGarchery I think this is a legitimate reason to revert, isn't it?

Fixed in 6ab5bad.

@QGarchery
Copy link
Contributor

A couple more to fix :

morpho-token/certora/specs/MintBurnEthereum.spec

Line 118 in 6ab5bad

assert e.msg.sender == 0x0 || fromBalanceBefore < amount || fromVotingPowerBefore < amount ;

@colin-morpho
Copy link
Contributor Author

A couple more to fix :

@QGarchery, I haven't managed to get these ones do not go through because of the same reason as :

Actually it isn't because the invriants require the munging setup which introduce new possible owerflows related to the zero virtual voting power.

In particular, when votes are delegated to zero, burn subtracts the amount from the zeroVirtualVotingPower causing a revert that is caught by fromVotingPowerBefore < amount .

@QGarchery
Copy link
Contributor

In particular, when votes are delegated to zero, burn subtracts the amount from the zeroVirtualVotingPower causing a revert that is caught by fromVotingPowerBefore < amount

Good point, but I think we can still frame it in terms of a "safe require". Here the invariant that we would want is that the balance of the sender is less that _zeroVirtualVotingPower in case where the sender delegates to 0

@colin-morpho
Copy link
Contributor Author

colin-morpho commented Dec 16, 2024
edited
Loading

Good point, but I think we can still frame it in terms of a "safe require". Here the invariant that we would want is that the balance of the sender is less that _zeroVirtualVotingPower in case where the sender delegates to 0

Just requiring the delegatee(from) == 0 => fromBalanceBefore <= _zeroVirtualVotingPower isn't enough (see this run), it looks like the prover isn't able to figure out that amount <= fromBalanceBefore <= fromVotingPowerBefore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QGarchery QGarchery Awaiting requested review from QGarchery

@MathisGD MathisGD Awaiting requested review from MathisGD

Requested changes must be addressed to merge this pull request.

Assignees

@colin-morpho colin-morpho

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Certora] Check underflow and overflows.
3 participants
@colin-morpho @QGarchery @MathisGD