Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsound "safe" require delegatedLTEqDelegateeVP #107

Open
QGarchery opened this issue Jan 14, 2025 · 4 comments · May be fixed by #105
Open

Unsound "safe" require delegatedLTEqDelegateeVP #107

QGarchery opened this issue Jan 14, 2025 · 4 comments · May be fixed by #105

Comments

@QGarchery
Copy link
Contributor

The invariant delegatedLTEqDelegateeVP proves that:
forall A, A != 0 => balanceOf(A) <= delegatedVotingPower(delegatee(A))
Notice the clause A != 0, which comes from:

morpho-token/certora/specs/ERC20Invariants.spec

Line 13 in d828ef0

axiom A != 0;

However, it seems like it is used without this clause:
@QGarchery QGarchery linked a pull request Jan 14, 2025 that will close this issue
Open
@colin-morpho
Copy link
Contributor

colin-morpho commented Jan 14, 2025
edited
Loading

Is it though, for instance in

morpho-token/certora/specs/RevertsERC20.spec

Line 23 in d828ef0

assert lastReverted <=> e.msg.sender == 0 || to == 0 || balanceOfSenderBefore < amount || e.msg.value != 0;
we show that if the sender = 0 then it reverts, so implicitly we check our hypothesis A != 0. Also, this is why it's not assumed, as we want to check it. The other assumption is only to avoid overflows related to computing the _zerorVirtualVotingPower. I'm not convinced that there's a real issue here.

@QGarchery
Copy link
Contributor Author

we show that if the sender=0 then it reverts, so implicitly we check our hypothesis A != 0.

I don't think so, because if the sender=0 then you make an assumption with require senderVotingPowerBefore >= balanceOfSenderBefore; and then it is checked that it reverts. This assumption may remove cases where you wanted to check that it reverts.

In general I think we should be very careful with require statements, and not simplify them. Notably, I tried adding the premise and the prover didn't succeed, so for now I'm quite convinced that there is an issue in this case

@colin-morpho
Copy link
Contributor

Ok, so approximation is not really unsound. This is because of the rule delegatingUpdatesVotingPower, msg.sender can execute delegateVotingPower(msg.sender) to re-delagate to himself, which makes the case delegatee(e.msg.sender) == 0 trivial in all situations. This is proved in f55c098.

@QGarchery
Copy link
Contributor Author

Nice ! So as a default we can add the exact formula that is proven, and then refine later and add proofs as you did

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Certora] Handle overflows morpho-org/morpho-token
2 participants
@QGarchery @colin-morpho