fix: Add resolution of GHO incident for 13/11/2023 report (#374)

* fix: Fixes self-transfer case in discount token hook
* test: Update Certora FV and report

.github/workflows/certora-latest.yml

@@ -0,0 +1,59 @@
+name: certora-latest
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+  workflow_dispatch:
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: recursive
+
+      - name: Install python
+        uses: actions/setup-python@v2
+        with: { python-version: 3.9 }
+
+      - name: Install java
+        uses: actions/setup-java@v1
+        with: { java-version: '11', java-package: jre }
+
+      - name: Install certora cli
+        run: pip install certora-cli==5.0.5
+
+      - name: Install solc
+        run: |
+          wget https://github.com/ethereum/solidity/releases/download/v0.8.10/solc-static-linux
+          chmod +x solc-static-linux
+          sudo mv solc-static-linux /usr/local/bin/solc8.10
+
+      - name: Install node dependencies
+        run: |
+          npm i
+
+      - name: Verify rule ${{ matrix.rule }}
+        run: |
+          cd certora
+          touch applyHarness.patch
+          make munged
+          cd ..
+          echo "key length" ${#CERTORAKEY}
+          certoraRun certora/conf/${{ matrix.rule }}
+        env:
+          CERTORAKEY: ${{ secrets.CERTORAKEY }}
+
+    strategy:
+      fail-fast: false
+      max-parallel: 16
+      matrix:
+        rule:
+          - verifyGhoVariableDebtToken_specialBranch.conf --rule sendersDiscountPercentCannotIncrease

.github/workflows/certora.yml

@@ -20,11 +20,6 @@ jobs:
         with:
           submodules: recursive
 
-      - name: Check key
-        env:
-          CERTORAKEY: ${{ secrets.CERTORAKEY }}
-        run: echo "key length" ${#CERTORAKEY}
-
       - name: Install python
         uses: actions/setup-python@v2
         with: { python-version: 3.9 }
@@ -53,16 +48,26 @@ jobs:
           make munged
           cd ..
           echo "key length" ${#CERTORAKEY}
-          sh certora/scripts/${{ matrix.rule }}
+          certoraRun certora/conf/${{ matrix.rule }}
         env:
           CERTORAKEY: ${{ secrets.CERTORAKEY }}
+
     strategy:
       fail-fast: false
       max-parallel: 16
       matrix:
         rule:
-          - verifyGhoToken.sh length_leq_max_uint160 inv_balanceOf_leq_totalSupply total_supply_eq_sumAllLevel sumAllBalance_eq_totalSupply sumAllLevel_eq_sumAllBalance inv_valid_capacity inv_valid_level address_in_set_values_iff_in_set_indexes addr_in_set_iff_in_map addr_in_set_list_iff_in_map level_leq_capacity mint_after_burn burn_after_mint level_unchanged_after_mint_followed_by_burn level_after_mint level_after_burn facilitator_in_list_after_setFacilitatorBucketCapacity getFacilitatorBucketCapacity_after_setFacilitatorBucketCapacity facilitator_in_list_after_addFacilitator facilitator_in_list_after_mint_and_burn address_not_in_list_after_removeFacilitator balance_after_mint balance_after_burn mintLimitedByFacilitatorRemainingCapacity burnLimitedByFacilitatorLevel ARRAY_IS_INVERSE_OF_MAP_Invariant addressSetInvariant address_not_in_list_after_removeFacilitator_CASE_SPLIT_zero_address OnlyFacilitatorManagerAlterFacilitatorExistence OnlyBucketManagerCanChangeCapacity
-          - verifyGhoAToken.sh noMint noBurn noTransfer transferUnderlyingToCantExceedCapacity totalSupplyAlwaysZero userBalanceAlwaysZero handleRepayment_after_transferUnderlyingTo level_does_not_decrease_after_transferUnderlyingTo_followed_by_handleRepayment
-          - verifyGhoDiscountRateStrategy.sh equivalenceOfWadMulCVLAndWadMulSol maxDiscountForHighDiscountTokenBalance zeroDiscountForSmallDiscountTokenBalance partialDiscountForIntermediateTokenBalance limitOnDiscountRate
-          - verifyFlashMinter.sh balanceOfFlashMinterGrows integrityOfTreasurySet integrityOfFeeSet availableLiquidityDoesntChange integrityOfDistributeFeesToTreasury feeSimulationEqualsActualFee
-          - verifyGhoVariableDebtToken.sh discountCantExceed100Percent disallowedFunctionalities nonMintFunctionCantIncreaseBalance nonMintFunctionCantIncreaseScaledBalance debtTokenIsNotTransferable onlyCertainFunctionsCanModifyScaledBalance userAccumulatedDebtInterestWontDecrease userCantNullifyItsDebt integrityOfMint_updateDiscountRate integrityOfMint_updateIndex integrityOfMint_updateScaledBalance_fixedIndex integrityOfMint_userIsolation onlyMintForUserCanIncreaseUsersBalance integrityOfMint_cantDecreaseInterestWithMint integrityMint_atoken integrityOfBurn_updateDiscountRate integrityOfBurn_updateIndex burnZeroDoesntChangeBalance integrityOfBurn_fullRepay_concrete integrityOfBurn_userIsolation integrityOfUpdateDiscountDistribution_updateIndex integrityOfUpdateDiscountDistribution_userIsolation integrityOfRebalanceUserDiscountPercent_updateDiscountRate integrityOfRebalanceUserDiscountPercent_updateIndex integrityOfRebalanceUserDiscountPercent_userIsolation integrityOfBalanceOf_fullDiscount integrityOfBalanceOf_noDiscount integrityOfBalanceOf_zeroScaledBalance burnAllDebtReturnsZeroDebt
+          - verifyGhoToken.conf --rule length_leq_max_uint160 inv_balanceOf_leq_totalSupply total_supply_eq_sumAllLevel sumAllBalance_eq_totalSupply sumAllLevel_eq_sumAllBalance inv_valid_capacity inv_valid_level address_in_set_values_iff_in_set_indexes addr_in_set_iff_in_map addr_in_set_list_iff_in_map level_leq_capacity mint_after_burn burn_after_mint level_unchanged_after_mint_followed_by_burn level_after_mint level_after_burn facilitator_in_list_after_setFacilitatorBucketCapacity getFacilitatorBucketCapacity_after_setFacilitatorBucketCapacity facilitator_in_list_after_addFacilitator facilitator_in_list_after_mint_and_burn address_not_in_list_after_removeFacilitator balance_after_mint balance_after_burn mintLimitedByFacilitatorRemainingCapacity burnLimitedByFacilitatorLevel ARRAY_IS_INVERSE_OF_MAP_Invariant addressSetInvariant address_not_in_list_after_removeFacilitator_CASE_SPLIT_zero_address
+          - verifyGhoAToken.conf --rule noMint noBurn noTransfer transferUnderlyingToCantExceedCapacity totalSupplyAlwaysZero userBalanceAlwaysZero level_does_not_decrease_after_transferUnderlyingTo_followed_by_handleRepayment
+          - verifyGhoDiscountRateStrategy.conf --rule equivalenceOfWadMulCVLAndWadMulSol maxDiscountForHighDiscountTokenBalance zeroDiscountForSmallDiscountTokenBalance partialDiscountForIntermediateTokenBalance limitOnDiscountRate
+          - verifyFlashMinter.conf --rule balanceOfFlashMinterGrows integrityOfTreasurySet integrityOfFeeSet availableLiquidityDoesntChange integrityOfDistributeFeesToTreasury feeSimulationEqualsActualFee
+          - verifyGhoVariableDebtToken.conf --rule user_index_after_mint user_index_ge_one_ray nonzeroNewDiscountToken
+          - verifyGhoVariableDebtToken.conf --rule accumulated_interest_increase_after_mint
+          - verifyGhoVariableDebtToken.conf --rule userCantNullifyItsDebt
+          - verifyGhoVariableDebtToken.conf --rule discountCantExceedDiscountRate
+          - verifyGhoVariableDebtToken.conf --rule onlyMintForUserCanIncreaseUsersBalance
+          - verifyGhoVariableDebtToken.conf --rule discountCantExceed100Percent
+          - verifyGhoVariableDebtToken.conf --rule disallowedFunctionalities nonMintFunctionCantIncreaseBalance nonMintFunctionCantIncreaseScaledBalance debtTokenIsNotTransferable onlyCertainFunctionsCanModifyScaledBalance userAccumulatedDebtInterestWontDecrease integrityOfMint_updateDiscountRate integrityOfMint_updateIndex integrityOfMint_updateScaledBalance_fixedIndex integrityOfMint_userIsolation integrityMint_atoken integrityOfBurn_updateDiscountRate integrityOfBurn_updateIndex burnZeroDoesntChangeBalance integrityOfBurn_fullRepay_concrete integrityOfBurn_userIsolation integrityOfUpdateDiscountDistribution_updateIndex integrityOfUpdateDiscountDistribution_userIsolation integrityOfRebalanceUserDiscountPercent_updateDiscountRate integrityOfRebalanceUserDiscountPercent_updateIndex integrityOfRebalanceUserDiscountPercent_userIsolation integrityOfBalanceOf_fullDiscount integrityOfBalanceOf_noDiscount integrityOfBalanceOf_zeroScaledBalance burnAllDebtReturnsZeroDebt integrityOfUpdateDiscountRateStrategy user_index_up_to_date
+          - verifyGhoVariableDebtToken_summarized.conf --rule accrueAlwaysCalleldBeforeRefresh
+          - verifyGhoVariableDebtTokenInternal.conf
+          - verifyGhoVariableDebtToken-rayMulDiv-summarization.conf

certora/conf/verifyFlashMinter.conf

@@ -0,0 +1,22 @@
+{
+    "files": [
+        "certora/munged/contracts/facilitators/flashMinter/GhoFlashMinter.sol:GhoFlashMinter",
+        "certora/munged/contracts/facilitators/aave/tokens/GhoAToken.sol:GhoAToken",
+        "certora/munged/contracts/gho/GhoToken.sol",
+        "certora/harness/MockFlashBorrower.sol"
+    ],
+    "link": [
+        "MockFlashBorrower:Gho=GhoToken",
+        "MockFlashBorrower:AGho=GhoAToken",
+        "GhoFlashMinter:GHO_TOKEN=GhoToken",
+        "MockFlashBorrower:minter=GhoFlashMinter"
+    ],
+    "msg": "flashMinter check, all rules",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -contractRecursionLimit 1"
+    ],
+    "solc": "solc8.10",
+    "verify": "GhoFlashMinter:certora/specs/flashMinter.spec"
+}

certora/conf/verifyGhoAToken.conf

@@ -0,0 +1,20 @@
+{
+    "files": [
+        "certora/munged/contracts/facilitators/aave/tokens/GhoAToken.sol",
+        "certora/munged/contracts/facilitators/aave/tokens/GhoVariableDebtToken.sol",
+        "certora/munged/contracts/gho/GhoToken.sol",
+        "certora/harness/GhoTokenHarness.sol",
+        "certora/harness/DummyERC20A.sol",
+        "certora/harness/DummyERC20B.sol"
+    ],
+    "link": [
+        "GhoAToken:_ghoVariableDebtToken=GhoVariableDebtToken",
+        "GhoVariableDebtToken:_ghoAToken=GhoAToken",
+        "GhoAToken:_underlyingAsset=GhoTokenHarness"
+    ],
+    "msg": "GhoAToken, all rules",
+    "optimistic_loop": true,
+    "process": "emv",
+    "solc": "solc8.10",
+    "verify": "GhoAToken:certora/specs/ghoAToken.spec"
+}

certora/conf/verifyGhoDiscountRateStrategy.conf

@@ -0,0 +1,15 @@
+{
+    "files": [
+        "certora/harness/GhoDiscountRateStrategyHarness.sol:GhoDiscountRateStrategyHarness"
+    ],
+    "loop_iter": "2",
+    "msg": "GhoDiscountRateStrategy, all rules.",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -mediumTimeout 20 -depth 10"
+    ],
+    "smt_timeout": "500",
+    "solc": "solc8.10",
+    "verify": "GhoDiscountRateStrategyHarness:certora/specs/ghoDiscountRateStrategy.spec"
+}

certora/conf/verifyGhoToken.conf

@@ -0,0 +1,12 @@
+{
+    "files": [
+        "certora/harness/GhoTokenHarness.sol:GhoTokenHarness",
+        "certora/munged/contracts/gho/GhoToken.sol"
+    ],
+    "loop_iter": "3",
+    "msg": "GhoToken, all rules.",
+    "optimistic_loop": true,
+    "process": "emv",
+    "solc": "solc8.10",
+    "verify": "GhoTokenHarness:certora/specs/ghoToken.spec"
+}

certora/conf/verifyGhoVariableDebtToken-rayMulDiv-summarization.conf

@@ -0,0 +1,26 @@
+{
+    "files": [
+        "certora/harness/ghoVariableDebtTokenHarness.sol:GhoVariableDebtTokenHarness",
+        "certora/harness/DummyPool.sol",
+        "certora/harness/DummyERC20WithTimedBalanceOf.sol",
+        "certora/munged/contracts/facilitators/aave/interestStrategy/GhoDiscountRateStrategy.sol",
+        "certora/harness/DummyERC20A.sol",
+        "certora/harness/DummyERC20B.sol"
+    ],
+    "link": [
+        "GhoVariableDebtTokenHarness:_discountToken=DummyERC20WithTimedBalanceOf",
+        "GhoVariableDebtTokenHarness:POOL=DummyPool",
+        "GhoVariableDebtTokenHarness:_discountRateStrategy=GhoDiscountRateStrategy"
+    ],
+    "loop_iter": "2",
+    "msg": " ",
+    "multi_assert_check": true,
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -mediumTimeout 30 -depth 15"
+    ],
+    "smt_timeout": "900",
+    "solc": "solc8.10",
+    "verify": "GhoVariableDebtTokenHarness:certora/specs/ghoVariableDebtToken-rayMulDiv-summarization.spec"
+}

certora/conf/verifyGhoVariableDebtToken.conf

@@ -0,0 +1,25 @@
+{
+    "files": [
+        "certora/harness/ghoVariableDebtTokenHarness.sol:GhoVariableDebtTokenHarness",
+        "certora/harness/DummyPool.sol",
+        "certora/harness/DummyERC20WithTimedBalanceOf.sol",
+        "certora/munged/contracts/facilitators/aave/interestStrategy/GhoDiscountRateStrategy.sol",
+        "certora/harness/DummyERC20A.sol",
+        "certora/harness/DummyERC20B.sol"
+    ],
+    "link": [
+        "GhoVariableDebtTokenHarness:_discountRateStrategy=GhoDiscountRateStrategy",
+        "GhoVariableDebtTokenHarness:POOL=DummyPool",
+        "GhoVariableDebtTokenHarness:_discountToken=DummyERC20WithTimedBalanceOf"
+    ],
+    "loop_iter": "2",
+    "msg": "GhoVariableDebtToken",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -mediumTimeout 30 -depth 15"
+    ],
+    "smt_timeout": "900",
+    "solc": "solc8.10",
+    "verify": "GhoVariableDebtTokenHarness:certora/specs/ghoVariableDebtToken.spec"
+}

certora/conf/verifyGhoVariableDebtTokenInternal.conf

@@ -0,0 +1,16 @@
+{
+    "files": [
+        "certora/harness/ghoVariableDebtTokenHarnessInternal.sol:GhoVariableDebtTokenHarnessInternal",
+        "certora/munged/contracts/facilitators/aave/interestStrategy/GhoDiscountRateStrategy.sol"
+    ],
+    "loop_iter": "2",
+    "msg": "GhoVariableDebtToken internal functions",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -mediumTimeout 30 -depth 15"
+    ],
+    "smt_timeout": "900",
+    "solc": "solc8.10",
+    "verify": "GhoVariableDebtTokenHarnessInternal:certora/specs/ghoVariableDebtTokenInternal.spec"
+}

certora/conf/verifyGhoVariableDebtToken_specialBranch.conf

@@ -0,0 +1,25 @@
+{
+    "files": [
+        "certora/harness/ghoVariableDebtTokenHarness.sol:GhoVariableDebtTokenHarness",
+        "certora/harness/DummyPool.sol",
+        "certora/harness/DummyERC20WithTimedBalanceOf.sol",
+        "certora/munged/contracts/facilitators/aave/interestStrategy/GhoDiscountRateStrategy.sol",
+        "certora/harness/DummyERC20A.sol",
+        "certora/harness/DummyERC20B.sol"
+    ],
+    "link": [
+        "GhoVariableDebtTokenHarness:POOL=DummyPool",
+        "GhoVariableDebtTokenHarness:_discountToken=DummyERC20WithTimedBalanceOf",
+        "GhoVariableDebtTokenHarness:_discountRateStrategy=GhoDiscountRateStrategy"
+    ],
+    "loop_iter": "2",
+    "msg": "GhoVariableDebtToken",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -depth 0 -adaptiveSolverConfig false -smt_nonLinearArithmetic true"
+    ],
+    "prover_version": "shelly/z3-4-12-3-build",
+    "solc": "solc8.10",
+    "verify": "GhoVariableDebtTokenHarness:certora/specs/ghoVariableDebtToken.spec"
+}

certora/conf/verifyGhoVariableDebtToken_summarized.conf

@@ -0,0 +1,25 @@
+{
+    "files": [
+        "certora/harness/ghoVariableDebtTokenHarness.sol:GhoVariableDebtTokenHarness",
+        "certora/harness/DummyPool.sol",
+        "certora/harness/DummyERC20WithTimedBalanceOf.sol",
+        "certora/munged/contracts/facilitators/aave/interestStrategy/GhoDiscountRateStrategy.sol",
+        "certora/harness/DummyERC20A.sol",
+        "certora/harness/DummyERC20B.sol"
+    ],
+    "link": [
+        "GhoVariableDebtTokenHarness:POOL=DummyPool",
+        "GhoVariableDebtTokenHarness:_discountToken=DummyERC20WithTimedBalanceOf",
+        "GhoVariableDebtTokenHarness:_discountRateStrategy=GhoDiscountRateStrategy"
+    ],
+    "loop_iter": "2",
+    "msg": "GhoVariableDebtToken",
+    "optimistic_loop": true,
+    "process": "emv",
+    "prover_args": [
+        " -mediumTimeout 30 -depth 15"
+    ],
+    "smt_timeout": "900",
+    "solc": "solc8.10",
+    "verify": "GhoVariableDebtTokenHarness:certora/specs/ghoVariableDebtToken_summarized.spec"
+}

certora/harness/ghoVariableDebtTokenHarness.sol

@@ -38,4 +38,8 @@ contract GhoVariableDebtTokenHarness is GhoVariableDebtToken {
   function rayDiv(uint256 x, uint256 y) external view returns (uint256) {
     return x.rayDiv(y);
   }
+
+  function get_ghoAToken() external returns (address) {
+    return _ghoAToken;
+  }
 }

certora/harness/ghoVariableDebtTokenHarnessInternal.sol

@@ -0,0 +1,20 @@
+pragma solidity 0.8.10;
+
+import {GhoVariableDebtTokenHarness} from './ghoVariableDebtTokenHarness.sol';
+import {GhoVariableDebtToken} from '../munged/contracts/facilitators/aave/tokens/GhoVariableDebtToken.sol';
+import {IPool} from '@aave/core-v3/contracts/interfaces/IPool.sol';
+
+contract GhoVariableDebtTokenHarnessInternal is GhoVariableDebtTokenHarness {
+  constructor(IPool pool) public GhoVariableDebtTokenHarness(pool) {
+    //nop
+  }
+
+  function accrueDebtOnAction(
+    address user,
+    uint256 previousScaledBalance,
+    uint256 discountPercent,
+    uint256 index
+  ) external returns (uint256, uint256) {
+    return _accrueDebtOnAction(user, previousScaledBalance, discountPercent, index);
+  }
+}