Instadapp/aave-protocol-v2
1
0
Fork 0
mirror of https://github.com/Instadapp/aave-protocol-v2.git synced 2024-07-29 21:47:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated StableDebtToken spec

Browse Source
This commit is contained in:
pistiner 2020-11-22 23:19:56 +02:00
parent 219d765f97
commit f90e53293d
2 changed files with 45 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
runStableTokenCLI.sh
View File

@ -1 +1 @@
certoraRun specs/harness/StableDebtTokenHarness.sol:StableDebtTokenHarness --solc solc6.8 --verify StableDebtTokenHarness:specs/StableDebtToken.spec --settings -assumeUnwindCond --cache StableDebtToken --staging master certoraRun.py specs/harness/StableDebtTokenHarness.sol:StableDebtTokenHarness --solc solc6.12 --verify StableDebtTokenHarness:specs/StableDebtToken.spec --settings -assumeUnwindCond,-b=4 --cache StableDebtToken --staging

38
specs/StableDebtToken.spec
View File

@ -14,9 +14,9 @@ rule integrityTimeStamp(address user, method f) {
/** /**
TotalSupply is the sum of all users balances TotalSupply is the sum of all users balances
totalSupply(t) = Σaddress u. balanceOf(u,t) totalSupply(t) = Σaddress u. balanceOf(u,t).
Check that each possible opertaion changes the balance of at most one user Checks that each possible operation changes the balance of at most one user.
*/ */
rule balanceOfChange(address a, address b, method f) rule balanceOfChange(address a, address b, method f)
{ {
@ -36,7 +36,8 @@ rule balanceOfChange(address a, address b, method f )
} }
/** /**
Check that the change to total supply is coherent with the changes to balance Checks that the change to total supply is coherent with the change to balance due to an operation
(which is not burn).
*/ */
rule integirtyBalanceOfTotalSupply(address a, method f ) rule integirtyBalanceOfTotalSupply(address a, method f )
{ {
@ -54,7 +55,8 @@ rule integirtyBalanceOfTotalSupply(address a, method f )
assert (balanceAAfter != balanceABefore => (balanceAAfter - balanceABefore == totalSupplyAfter - totalSupplyBefore)); assert (balanceAAfter != balanceABefore => (balanceAAfter - balanceABefore == totalSupplyAfter - totalSupplyBefore));
} }
/* Burn behaves differently and due to accumulation errors might have less total supply than the balance /**
Burn behaves differently and due to accumulation errors might have less total supply than the balance.
*/ */
rule integirtyBalanceOfTotalSupplyOnBurn(address a, method f) rule integirtyBalanceOfTotalSupplyOnBurn(address a, method f)
{ {
@ -74,22 +76,23 @@ rule integirtyBalanceOfTotalSupplyOnBurn(address a, method f)
} }
/** /**
Mint inceases the balanceOf user a as expected Mint increases the balanceOf user a as expected.
*/ */
rule integrityMint(address a, uint256 x) { rule integrityMint(address a, uint256 x) {
env e; env e;
address delegatedUser;
require sinvoke getIncentivesController(e) == 0; require sinvoke getIncentivesController(e) == 0;
uint256 index; uint256 index;
uint256 balancebefore = sinvoke balanceOf(e,a); uint256 balancebefore = sinvoke balanceOf(e,a);
sinvoke mint(e,a,x,index); sinvoke mint(e, delegatedUser, a, x, index);
uint256 balanceAfter = sinvoke balanceOf(e,a); uint256 balanceAfter = sinvoke balanceOf(e,a);
assert balanceAfter == balancebefore+x; assert balanceAfter == balancebefore+x;
} }
/** /**
Mint is additive, can performed either all at once or gradually Mint is additive, namely it can performed either all at once or gradually:
mint(u,x); mint(u,y) ~ mint(u,x+y) at the same timestamp mint(u, x); mint(u, y) ~ mint(u, x+y) at the same timestamp.
Note: We assume that the stable rate of the user is 0. Note: We assume that the stable rate of the user is 0.
The case where the rate is non-zero takes much more time to prove, The case where the rate is non-zero takes much more time to prove,
@ -97,16 +100,17 @@ and therefore it is currently excluded from the CI.
*/ */
rule additiveMint(address a, uint256 x, uint256 y) { rule additiveMint(address a, uint256 x, uint256 y) {
env e; env e;
address delegatedUser;
require sinvoke getIncentivesController(e) == 0; require sinvoke getIncentivesController(e) == 0;
require getUserStableRate(e, a) == 0; require getUserStableRate(e, a) == 0;
uint256 index; uint256 index;
storage initialStorage = lastStorage; storage initialStorage = lastStorage;
sinvoke mint(e,a,x,index); sinvoke mint(e, delegatedUser, a, x, index);
sinvoke mint(e,a,y,index); sinvoke mint(e, delegatedUser, a, y, index);
uint256 balanceScenario1 = sinvoke balanceOf(e, a); uint256 balanceScenario1 = sinvoke balanceOf(e, a);
uint256 t = x + y; uint256 t = x + y;
sinvoke mint(e,a, t ,index) at initialStorage; sinvoke mint(e, delegatedUser, a, t ,index) at initialStorage;
uint256 balanceScenario2 = sinvoke balanceOf(e, a); uint256 balanceScenario2 = sinvoke balanceOf(e, a);
assert balanceScenario1 == balanceScenario2, "mint is not additive"; assert balanceScenario1 == balanceScenario2, "mint is not additive";
@ -139,17 +143,17 @@ rule additiveBurn(address a, uint256 x, uint256 y) {
/** /**
mint and burn are inverse operations Mint and burn are inverse operations.
Thus, totalSupply is back to initial state Therefore, both totalSupply and BalanceOf user are back to the initial state.
BalanceOf user is back to initial state */ */
rule inverseMintBurn(address a, uint256 x) { rule inverseMintBurn(address a, uint256 x) {
env e; env e;
address delegatedUser;
require sinvoke getIncentivesController(e) == 0; require sinvoke getIncentivesController(e) == 0;
uint256 index; uint256 index;
uint256 balancebefore = sinvoke balanceOf(e, a); uint256 balancebefore = sinvoke balanceOf(e, a);
sinvoke mint(e,a,x,index); sinvoke mint(e, delegatedUser, a, x, index);
sinvoke burn(e, a, x); sinvoke burn(e, a, x);
uint256 balanceAfter = sinvoke balanceOf(e, a); uint256 balanceAfter = sinvoke balanceOf(e, a);
assert balancebefore == balanceAfter, "burn is not inverse of mint"; assert balancebefore == balanceAfter, "burn is not the inverse of mint";
} }