Migrate FV specs to CVL2 (#4527)

Co-authored-by: Hadrien Croubois <hadrien.croubois@gmail.com>
2023-09-11 14:15:51 -06:00
parent b6111faac8
commit 36bf1e46fa
42 changed files with 1008 additions and 913 deletions
--- a/certora/specs/AccessControlDefaultAdminRules.spec
+++ b/certora/specs/AccessControlDefaultAdminRules.spec
@ -1,28 +1,28 @@
-import "helpers/helpers.spec"
-import "methods/IAccessControlDefaultAdminRules.spec"
-import "methods/IAccessControl.spec"
-import "AccessControl.spec"
+import "helpers/helpers.spec";
+import "methods/IAccessControlDefaultAdminRules.spec";
+import "methods/IAccessControl.spec";
+import "AccessControl.spec";

 use rule onlyGrantCanGrant filtered {
-  f -> f.selector != acceptDefaultAdminTransfer().selector
+  f -> f.selector != sig:acceptDefaultAdminTransfer().selector
 }

 /*
 ┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
-│ Helpers                                                                                                             │
+│ Definitions                                                                                                             │
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
 */
 definition timeSanity(env e) returns bool =
-  e.block.timestamp > 0 && e.block.timestamp + defaultAdminDelay(e) < max_uint48();
+  e.block.timestamp > 0 && e.block.timestamp + defaultAdminDelay(e) < max_uint48;

 definition delayChangeWaitSanity(env e, uint48 newDelay) returns bool =
-  e.block.timestamp + delayChangeWait_(e, newDelay) < max_uint48();
+  e.block.timestamp + delayChangeWait_(e, newDelay) < max_uint48;

 definition isSet(uint48 schedule) returns bool =
  schedule != 0;

 definition hasPassed(env e, uint48 schedule) returns bool =
-  schedule < e.block.timestamp;
+  assert_uint256(schedule) < e.block.timestamp;

 definition increasingDelaySchedule(env e, uint48 newDelay) returns mathint =
  e.block.timestamp + min(newDelay, defaultAdminDelayIncreaseWait());
@ -63,7 +63,7 @@ invariant singleDefaultAdmin(address account, address another)
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
 */
 invariant defaultAdminRoleAdminConsistency()
-  getRoleAdmin(DEFAULT_ADMIN_ROLE()) == DEFAULT_ADMIN_ROLE()
+  getRoleAdmin(DEFAULT_ADMIN_ROLE()) == DEFAULT_ADMIN_ROLE();

 /*
 ┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
@ -71,7 +71,7 @@ invariant defaultAdminRoleAdminConsistency()
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
 */
 invariant ownerConsistency()
-  defaultAdmin() == owner()
+  defaultAdmin() == owner();

 /*
 ┌─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
@ -136,7 +136,7 @@ rule renounceRoleEffect(env e, bytes32 role) {
      account == e.msg.sender &&
      (
        role    != DEFAULT_ADMIN_ROLE() ||
-        account != adminBefore          ||
+        account != adminBefore        ||
        (
          pendingAdminBefore == 0 &&
          isSet(scheduleBefore) &&
@ -185,8 +185,8 @@ rule noDefaultAdminChange(env e, method f, calldataarg args) {
  address adminAfter = defaultAdmin();

  assert adminBefore != adminAfter => (
-    f.selector == acceptDefaultAdminTransfer().selector ||
-    f.selector == renounceRole(bytes32,address).selector
+    f.selector == sig:acceptDefaultAdminTransfer().selector ||
+    f.selector == sig:renounceRole(bytes32,address).selector
  ),
    "default admin is only affected by accepting an admin transfer or renoucing";
 }
@ -199,19 +199,19 @@ rule noDefaultAdminChange(env e, method f, calldataarg args) {
 */
 rule noPendingDefaultAdminChange(env e, method f, calldataarg args) {
  address pendingAdminBefore = pendingDefaultAdmin_();
-  address scheduleBefore = pendingDefaultAdminSchedule_();
+  uint48 scheduleBefore = pendingDefaultAdminSchedule_();
  f(e, args);
  address pendingAdminAfter = pendingDefaultAdmin_();
-  address scheduleAfter = pendingDefaultAdminSchedule_();
+  uint48 scheduleAfter = pendingDefaultAdminSchedule_();

  assert (
    pendingAdminBefore != pendingAdminAfter ||
    scheduleBefore != scheduleAfter
  ) => (
-    f.selector == beginDefaultAdminTransfer(address).selector ||
-    f.selector == acceptDefaultAdminTransfer().selector ||
-    f.selector == cancelDefaultAdminTransfer().selector ||
-    f.selector == renounceRole(bytes32,address).selector
+    f.selector == sig:beginDefaultAdminTransfer(address).selector ||
+    f.selector == sig:acceptDefaultAdminTransfer().selector ||
+    f.selector == sig:cancelDefaultAdminTransfer().selector ||
+    f.selector == sig:renounceRole(bytes32,address).selector
  ),
    "pending admin and its schedule is only affected by beginning, completing, or cancelling an admin transfer";
 }
@ -241,8 +241,8 @@ rule noPendingDefaultAdminDelayChange(env e, method f, calldataarg args) {
  uint48 pendingDelayAfter = pendingDelay_(e);

  assert pendingDelayBefore != pendingDelayAfter => (
-    f.selector == changeDefaultAdminDelay(uint48).selector ||
-    f.selector == rollbackDefaultAdminDelay().selector
+    f.selector == sig:changeDefaultAdminDelay(uint48).selector ||
+    f.selector == sig:rollbackDefaultAdminDelay().selector
  ),
    "pending delay is only affected by changeDefaultAdminDelay or rollbackDefaultAdminDelay";
 }
@ -282,7 +282,7 @@ rule beginDefaultAdminTransfer(env e, address newAdmin) {
  // effect
  assert success => pendingDefaultAdmin_() == newAdmin,
    "pending default admin is set";
-  assert success => pendingDefaultAdminSchedule_() == e.block.timestamp + defaultAdminDelay(e),
+  assert success => to_mathint(pendingDefaultAdminSchedule_()) == e.block.timestamp + defaultAdminDelay(e),
    "pending default admin delay is set";
 }

@ -307,7 +307,7 @@ rule pendingDefaultAdminDelayEnforced(env e1, env e2, method f, calldataarg args
  // change can only happen towards the newAdmin, with the delay
  assert adminAfter != adminBefore => (
    adminAfter == newAdmin &&
-    e2.block.timestamp >= e1.block.timestamp + delayBefore
+    to_mathint(e2.block.timestamp) >= e1.block.timestamp + delayBefore
  ),
    "The admin can only change after the enforced delay and to the previously scheduled new admin";
 }
@ -393,7 +393,7 @@ rule changeDefaultAdminDelay(env e, uint48 newDelay) {
    "pending delay is set";

  assert success => (
-    pendingDelaySchedule_(e) > e.block.timestamp ||
+    assert_uint256(pendingDelaySchedule_(e)) > e.block.timestamp ||
    delayBefore == newDelay || // Interpreted as decreasing, x - x = 0
    defaultAdminDelayIncreaseWait() == 0
  ),
@ -419,7 +419,7 @@ rule pendingDelayWaitEnforced(env e1, env e2, method f, calldataarg args, uint48

  assert delayAfter != delayBefore => (
    delayAfter == newDelay &&
-    e2.block.timestamp >= delayWait
+    to_mathint(e2.block.timestamp) >= delayWait
  ),
    "A delay can only change after the applied schedule";
 }
@ -433,9 +433,9 @@ rule pendingDelayWait(env e, uint48 newDelay) {
  uint48 oldDelay = defaultAdminDelay(e);
  changeDefaultAdminDelay(e, newDelay);

-  assert newDelay > oldDelay => pendingDelaySchedule_(e) == increasingDelaySchedule(e, newDelay),
+  assert newDelay > oldDelay => to_mathint(pendingDelaySchedule_(e)) == increasingDelaySchedule(e, newDelay),
    "Delay wait is the minimum between the new delay and a threshold when the delay is increased";
-  assert newDelay <= oldDelay => pendingDelaySchedule_(e) == decreasingDelaySchedule(e, newDelay),
+  assert newDelay <= oldDelay => to_mathint(pendingDelaySchedule_(e)) == decreasingDelaySchedule(e, newDelay),
    "Delay wait is the difference between the current and the new delay when the delay is decreased";
 }