docs: properties for invariant testing#12
docs: properties for invariant testing#120xteddybear wants to merge 1 commit intodefi-wonderland:sc/superchain-erc20from
Conversation
|
|
||
| | id | description | halmos | echidna | | ||
| | ----- | ----- | ----- | ----- | | ||
| | 4 | sum of total supply across all chains is always `<=` to `convert()`ed amount | | | |
There was a problem hiding this comment.
| | 4 | sum of total supply across all chains is always `<=` to `convert()`ed amount | | | | |
| | 4 | sum of total supply across all chains is always `<=` to `convert()`-ed and `mint()`-ed amount | | | |
There was a problem hiding this comment.
I'm not sure I follow you on this one, what mint() are you referring to?
with this property I'm trying to describe the high-level behaviour of the whole system, where the only place where tokens can be minted should be inside convert
I guess we could also define a separate 'Valid State' property local to the supERC20 where we check total supply is the sum of all mints, if we don't get that for free by including ToB ERC20 properties
There was a problem hiding this comment.
I'm referring to the OptimismSuperchainERC20#mint function, that is only callable by the standard bridge on the L1 -> L2 flow.
Should we take that into consideration when defining the total amount of the token invariant?
|
|
||
| | id | description | halmos | echidna | | ||
| | ----- | ----- | ----- | ----- | | ||
| | 0 | calls to sendERC20 succeed as long as caller has enough balance | | | |
There was a problem hiding this comment.
| | 0 | calls to sendERC20 succeed as long as caller has enough balance | | | | |
| | 0 | calls to `sendERC20` succeed as long as caller has enough balance | | | |
| | 1 | sendERC20 decreases the token's totalSupply in the source chain | | | | ||
| | 2 | relayERC20 increases the token's totalSupply in the destination chain | | | | ||
| | 3 | only calls to `convert()` can increase the total supply across chains | | | |
There was a problem hiding this comment.
| | 1 | sendERC20 decreases the token's totalSupply in the source chain | | | | |
| | 2 | relayERC20 increases the token's totalSupply in the destination chain | | | | |
| | 3 | only calls to `convert()` can increase the total supply across chains | | | | |
| | 1 | `sendERC20` decreases the token's total supply in the source chain | | | | |
| | 2 | `relayERC20` increases the token's total supply in the destination chain | | | | |
| | 3 | only calls to `convert()` and `mint()` can increase the total supply across chains | | | |
|
|
||
| | id | description | halmos | echidna | | ||
| | ----- | ----- | ----- | ----- | | ||
| | 6 | supERC20 token address does not depend on chainID | | | |
There was a problem hiding this comment.
The invariant wouldn't be something like
| | 6 | supERC20 token address does not depend on chainID | | | | |
| | 6 | supERC20 token addresses are the same in all the different chains | | | |
?
There was a problem hiding this comment.
I believe this is currently clearer to map to a halmos proof, like so:
check_addressDoesNotDependOnChainId(remote, name, symbol, decimals, chainId1, chainID2){
vm.assume(chainId1 != chainId2);
assertEq(factory.deploy(remote, name, symbol, chainId1), factory.deploy(remote, name, symbol, chainId2));
}
wdyt? it certainly feels math-ier
There was a problem hiding this comment.
ah perfect, if that's simpler for halmos let's keep like that
…16 (ethereum-optimism#19271) Add missing @param blueprint NatSpec to OpcmContractRef struct (#2). Add comments about pause blocking interop upgrades (#3). Document migrate() scope limitations and re-migration risks (#7, #15). Update PERMIT_ALL_CONTRACTS_INSTRUCTION comment (#12). Document intentional use of chainSystemConfigs[0] for shared contracts (#16). Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2 participants
I'm not quite sure how to go about specifying the invariants for supERC20, since:
any feedback is welcome ✨