Formal Verification

Summary

This report represents work and conclusions based on Term Labs using Certora’s Prover tool to formally verify security properties of Term's smart contracts. Term finalized formal verification of the protocol's smart contracts using Certora's Prover solutions with guidance and technical support provided by the Certora team. The work was undertaken from Dec. 1, 2023 to Mar. 23, 2024. Some of these tests were verified using beta and staging versions of Certora's Prover, which are scheduled to be deployed to their production service in the near future. The latest commit that was reviewed and ran through the Certora Prover was 831292726cdc22e9d4d2953d59051fa00fbd4f72.

The scope of this verification includes all Term Servicer contracts within Term Protocol. This includes the following.

  • TermRepoToken.sol

  • TermRepoLocker.sol

  • TermRepoServicer.sol

  • TermRepoCollateralManager.sol

  • TermRepoRolloverManager.sol

Auction Contracts within Term Protocol were partially verified, with coverage on all functions except for those related to auction clearing, whose loop complexity is too elevated for formal verification. Runtime Verification was previously engaged to focus specifically on auditing and manually verifying this small but critical part of the codebase, see here. Contracts with partial coverage include:

  • TermAuction.sol

  • TermAuctionBidLocker.sol

  • TermAuctionOfferLocker.sol

The Certora Prover proved the implementation of the protocol is correct with respect to formal specifications written by the Term Labs team.

List of Main Issues Discovered

Severity: Low

Issue:
Zero Max Repayment Allowed in burnCollapseExposure

Description:

In the case where a borrower (i) has an outstanding repurchase exposure that (ii) has also been submitted as an open rollover such that (iii) the amount they are able to collapse is 0, the burnCollapseExposure function nevertheless executes, calling 0 transfers and adding 0 to accounting for a burn collapse exposure . Although there is no harm done, this is a waste of gas for the user.

Mitigation/Fix:

Add a revert condition to burnCollapseExposure to revert execution if the max repayment a borrower can make is 0.

Rule coverage:

burnCollapseExposureIntegrity burnCollapseExposureRevertConditions

Disclaimer

The Certora Prover takes as input a contract and a specification and formally proves that the contract satisfies the specification in all scenarios. Importantly, the guarantees of the Certora Prover are scoped to the provided specification, and the Certora Prover does not check any cases not covered by the specification.

We hope that this information is useful, but provide no warranty of any kind, explicit or implied. The contents of this report should not be construed as a complete guarantee that the contract is secure in all dimensions. In no event shall Term, Certora or any of its or their respective employees be liable for any claim, damages or other liability, whether in an action of contract, tort or otherwise, arising from, out of or in connection with the results reported here.

Overview of the verification

Description of the system

The Term Finance Protocol enables noncustodial fixed-rate collateralized lending on-chain (Term Repos) modeled on tri-party repo arrangements common in TradFi. Borrowers and lenders are matched through a unique recurring auction process (Term Auctions) where borrowers submit sealed bids and lenders submit sealed offers that are used to determine an interest rate that clears the market for participants of that auction. Participants who bid more than the clearing rate receive loans and participants willing to lend below the clearing rate make loans, in each case at the market-clearing rate. All other participants’ bids and offers are said to be “left on the table.” At the conclusion of an auction, borrowers receive loan proceeds and lenders receive ERC-20 tokens (Term Repo Tokens), which are receipts that lenders will burn to redeem for principal plus interest at maturity. Protocol smart contracts service these transactions by ledgering repayments and monitoring collateral health and liquidations.

Description of the specification files

For each contract, spec rules are divided into separate spec files per business logic function type (separate spec for state variable rules), but during runtime are compiled together in a rules.spec file. For the termRepoCollateralManager, the rules.spec is further divided into a rules.spec and other spec files for liquidations and state variables, due to the nature of high verification fun times for those functions.

Assumptions and Simplifications

  • Some loops were run with a fixed size of 1 in able to enable formal verification. Verifying beyond a 1st loop would have cause formal verification to time out.

  • Token prices are fetched from a constant mapping in CVL instead of a live price feed. This enables easier comparison of expected calculations and actual token amounts.

  • Some of the multiplications and divisions in liquidation functions in the smart contracts inherit a contract called ExponentialNoError, which scales and truncates multiplications and divisions in Solidity in a way that precision is not lost. The calculations in these functions were replaced with CVL equivalents in order to prevent timeouts of FV rules.

Contract Invariants and Rules

Common Rules

Applied to every contract in the protocol.

  1. Rule: pairTermContractsRevertsWhenAlreadyPaired - constrain input space to only include contracts that have already been paired.

  1. Rule: onlyPairTermContractsChangesIsTermContractPairedRule - ensures that only pairTermContracts(...) can change state of termContractPaired

TermRepoToken.sol

  1. Invariant totalSupplyIsSumOfBalances - ensures that the total supply of tokens always equals the sum of individual account balances, maintaining the principle of token conservation.

  1. Rule: totalSupplyNeverOverflow - guarantees that the total supply of tokens cannot exceed the maximum value allowed by the system, preventing overflow errors.

  1. Rule: noMethodChangesMoreThanTwoBalances - ensures that no single operation can alter more than two account balances at once.

  1. Rule: onlyAllowedMethodsMayChangeAllowance - verifies that changes to token allowances are restricted to approved methods, ensuring that delegated spending limits are securely managed.

  1. Rule: onlyAllowedMethodsMayChangeBalance - verifies that token balance changes within accounts can only be done through approved methods, preventing unauthorized modifications.

  1. Rule: onlyAllowedMethodsMayChangeTotalSupply - verifies that changes to the total supply of tokens are conducted only through authorized methods, maintaining supply integrity.

  1. Rule: reachability - verifies that all non-initialization and non-upgrade methods can be executed, ensuring contract functionality is accessible.

  1. Rule: onlyAuthorizedCanTransfer - verifies that token transfers can only be initiated by authorized entities.

  1. Rule: onlyHolderOfSpenderCanChangeAllowance - verifies that changes to spending allowance, which is the limit set by the token holder for how much another account can spend on their behalf, can only be made by the token holder or a designated spender

  1. Rule: mintTokensIntegrity - ensures that after minting tokens, the balance of the minter and the total supply are correctly increased.

  1. Rule: mintRedemptionValueIntegrity - ensures that after minting tokens and returning a value, the balance of the minter and the total supply are correctly increased.

where expScale = 10^ 18.

  1. Rule: mintTokensRevertingConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: mintRedemptionValueRevertingConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: mintRedemptionValueDoesNotAffectThirdParty - verifies that when one account invokes mintRedemptionValue, this action does not affect third-party balances.

  1. Rule: mintTokensDoesNotAffectThirdParty - verifies that when one account invokes mintOpenExposure, this action does not affect third-party balances.

  1. Rule: burnIntegrity - ensures that after burning tokens, the balance of the burner and the total supply are correctly decreased.

  1. Rule: burnAndReturnValueIntegrity - ensures that after burning tokens and returning a value, the balance of the burner and the total supply are correctly decreased.

  1. Rule: burnRevertingConditions - checks conditions under which a burn operation should revert, such as not having enough balance, the contract being paused, etc.

  1. Rule: burnDoesNotAffectThirdParty - verifies that burning tokens from one account does not affect third party balances.

  1. Rule: burnAndReturnValueDoesNotAffectThirdParty - confirms that burning tokens and returning a value from one account does not impact the balance of an unrelated account.

  1. Rule: transferIntegrity - asserts that after a transfer, the balances of the sender and recipient are updated correctly, respecting the case when sender and recipient are the same.

  1. Rule: transferIsOneWayAdditive - demonstrates that if a transfer of a combined amount succeeds, individual transfers of the components should also succeed without affecting the final state.

  1. Rule: transferRevertingConditions- identifies conditions under which a transfer should revert, such as the sender not having enough balance.

  1. Rule: transferDoesNotAffectThirdParty - ensures that a transfer between two accounts does not affect the balance of a third party.

  1. Rule: transferFromIntegrity - confirms that after a transferFrom operation, the balances of the holder and recipient are correctly adjusted, and the allowance is updated appropriately.

  1. Rule: transferFromRevertingConditions - checks for conditions that should cause a transferFrom to revert, such as insufficient allowance or balance.

  1. Rule: transferFromDoesNotAffectThirdParty - verifies that a transferFrom operation does not impact the balance or allowance of third parties.

  1. Rule: transferFromIsOneWayAdditive - shows that if a transferFrom for a combined amount is successful, then separate transferFrom operations for each component of the amount should also succeed, without altering the final state.

  1. Rule: approveIntegrity - ensures that the allowance is correctly set after an approve operation.

  1. Rule: approveRevertingConditions - identifies scenarios in which an approve operation should revert, such as when trying to approve from a zero address.

  1. Rule: approveDoesNotAffectThirdParty - confirms that an approve operation between two parties does not affect the allowance of a third party.

  1. Rule: onlyAllowedMethodsMayChangeMintExposureCap - ensures that only specific methods can modify the mint exposure cap. Methods like minting, burning, or resetting the cap are allowed to change it.

  1. Rule: mintExposureCapNeverOverflow - verifies that when the mint exposure cap is increased, this action does not cause it to overflow, ensuring the cap's value remains within safe limits.

  1. Rule: noMethodChangesRedemptionValue - confirms that the redemption value remains unchanged across transactions, except by methods explicitly intended to modify it. This rule ensures stability in the redemption value.

  1. Rule: onlyRoleCanCallRevert - checks if a method call that is not a view and requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: onlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermRepoLocker.sol

  1. Rule: onlyAllowedMethodsMayChangeTransfersPaused - ensures that the state of transfers being paused can only be altered by specific methods designated for pausing or unpausing transfers.

  1. Rule: noMethodChangesTermRepoId - confirms that the Term Repo ID remains constant and is not changed by any method calls, ensuring its immutability post-initialization.

  1. Rule: onlyAllowedMethodsMayChangeEmitter - verifies that the emitter's address can only be changed through specific methods, preserving the integrity and security of the emitter identification.

  1. Rule: onlyAllowedMethodsMayChangeBalance - checks if the treasury balance is correctly updated by allowed methods and remains unchanged by others.

  1. Rule: reachability - verifies that all non-initialization and non-upgrade methods can be executed, ensuring contract functionality is accessible.

  1. Rule: transferTokenFromWalletIntegrity - validates the integrity of transferring tokens from the wallet, checking the update in treasury and sender balances post-transaction.

  1. Rule: transferTokenToWalletIntegrity - ensures the correct adjustment of balances when tokens are transferred to the wallet, factoring in role permissions and pause status.

  1. Rule: pauseTransfersIntegrity - validates that transfers can be paused correctly by the authorized role, ensuring the state is changed as expected.

  1. Rule: unpauseTransfersIntegrity - confirms that transfers can be unpaused accurately, reverting the paused state and allowing transactions to proceed.

  1. Rule: onlyRoleCanCallRevert - ensures that methods not related to initialization, upgrade, or role management only revert if the caller lacks the necessary roles. This rule safeguards against unauthorized actions while allowing legitimate operations.

  1. Rule: onlyRoleCanCallStorage - verifies that storage modifications by non-view methods are properly guarded by role checks, preventing unauthorized changes to the contract's state. This rule enforces role-based access control for sensitive operations.

TermRepoServicer.sol

  1. Invariant: totalOutstandingRepurchaseExposureIsSumOfRepurchases - asserts that the total outstanding repurchase exposure is equal to the sum of all individual repurchase exposures, ensuring consistency within the ledger.

  1. Rule: onlyAllowedMethodsMayChangeTotalOutstandingRepurchaseExposure - specifies that only particular methods can increase or decrease the total outstanding repurchase exposure, aligning changes with expected business logic operations.

  1. Rule: totalOutstandingRepurchaseExposureNeverOverflows - ensures that actions intended to increase the total outstanding repurchase exposure do not result in an overflow, preserving the integrity of financial calculations.

  1. Rule: onlyAllowedMethodsMayChangeTotalRepurchaseCollected - identifies methods permitted to increase or decrease the total repurchase collected, ensuring that financial metrics reflect actual repurchase activity accurately.

  1. Rule: totalRepurchaseCollectedNeverOverflows - verifies that the total repurchase collected metric cannot overflow as a result of any operation, maintaining the system's financial stability.

  1. Rule:shortfallHaircutMantissaAlwaysZeroBeforeRedemptionAndLessThanExpScaleAfter - confirms the shortfall haircut mantissa remains zero before the redemption timestamp and falls within expected bounds after, ensuring fair and predictable financial adjustments.

  1. Rule: totalRepurchaseCollectedLessThanOrEqualToLockerPurchaseTokenBalance - ensures that the total repurchase collected does not exceed the locker's purchase token balance, preventing overestimation of collected repurchases.

  1. Rule: noMethodsChangeMaturityTimestamp - validates that no method changes the maturity timestamp, ensuring consistency in the term's length and financial obligations.

  1. Rule: noMethodsChangeEndOfRepurchaseWindow - confirms the end of the repurchase window is immutable across all contract interactions, preserving the predetermined timeframe for repurchases, which is critical for contractual agreements.

  1. Rule: noMethodsChangeRedemptionTimestamp - ensures the redemption timestamp remains constant across all contract interactions, guaranteeing the redemption period's stability and predictability.

  1. Rule: noMethodsChangeServicingFee - verifies that the servicing fee rate is maintained across all transactions, ensuring consistent fee calculations and financial expectations for parties involved.

  1. Rule: onlyAllowedMethodsChangeShortfallHaircutMantissa - restricts adjustments to the shortfall haircut mantissa to specific authorized methods, safeguarding the metric's integrity against unauthorized modifications.

  1. Rule: noMethodChangesPurchaseToken - confirms the purchase token's address remains unaltered through contract operations, ensuring continuity and reliability in financial mechanisms involving the token.

  1. Rule: onlyAllowedMethodsMayChangeTermContracts - specifies that term contract addresses can only be modified through designated methods, preventing unauthorized updates and maintaining contract ecosystem integrity.

  1. Rule: onlyAllowedMethodsMayChangeRepurchaseExposureLedger - limits the conditions under which the repurchase exposure ledger can be altered, ensuring that changes are strictly governed and reflect actual repurchase activities.

  1. Rule: burnCollapseExposureMonotonicBehavior - verifies that burning to collapse exposure reduces the caller's repo token balance, their repurchase obligation, and the total outstanding repurchase exposure monotonically, ensuring systemic risk reduction and individual accountability.

  1. Rule: burnCollapseExposureIntegrity - ensures that burning for exposure collapse adjusts the repo token balance, repurchase obligation, and total outstanding repurchase exposure by the expected amounts, reflecting accurate and fair financial adjustments.

  1. Rule: burnCollapseExposureDoesNotAffectThirdParty - confirms that an individual's action to burn repo tokens to collapse exposure does not impact the financial positions (token balances or repurchase obligations) of unrelated third parties, maintaining isolation of financial activities.

  1. Rule: burnCollapseExposureRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: mintOpenExposureMonotonicBehavior - ensures that minting open exposure increases the minter's repo token balance, their repurchase obligation, and the total outstanding repurchase exposure, as well as the minter's collateral balance, indicating correct operation and accountability in minting activities.

  1. Rule: mintOpenExposureIntegrity - confirms that minting for open exposure results in expected increases in the minter's repo token balance and repurchase obligation, as well as the total outstanding repurchase exposure, demonstrating the transaction's impact aligns with predefined financial mechanisms.

  1. Rule: mintOpenExposureDoesNotAffectThirdParty - verifies that a minter's action to open exposure does not alter the repo token balances of unrelated third parties, ensuring the isolation of minting effects within the financial ecosystem.

  1. Rule: mintOpenExposureRevertConditions - check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: redemptionsMonotonicBehavior - verifies that redemption operations result in expected changes to the balances and obligations involved, ensuring that the redeemer's repo token balance decreases, their purchase token balance increases, and the overall repurchase obligations and available tokens within the locker adjust accordingly.

  1. Rule: redemptionsIntegrity - confirms that the redemption of repo tokens by a redeemer leads to the precise adjustments in the total repurchase collected, the repo token balance of the redeemer, and the purchase token balance in accordance with the redemption value and terms defined, reflecting the accurate financial transaction and impact.

  1. Rule: redemptionsDoesNotAffectThirdParty - ensures that a redemption action taken by one participant does not inadvertently alter the financial position or balances of unrelated third parties, maintaining the integrity and isolation of individual transactions within the ecosystem.

  1. Rule: redemptionsRevertConditions - evaluates whether the operation correctly reverts under the prescribed conditions, ensuring compliance with defined contractual behaviors and protections.

  1. Rule: repaymentsMonotonicBehavior - validates that repayments lead to expected monotonic changes in borrower obligations and system totals, ensuring borrower balances and overall repurchase exposures decrease as payments are made, while the total repurchase collected and potentially the collateral values adjust accordingly.

  1. Rule: repaymentsIntegrity - ensures the integrity of repayments by verifying that the repayments correctly decrease the borrower's obligations and appropriately adjust the system's repurchase exposure and collected totals, with specific attention to the treatment of collateral in the event of complete repayment.

  1. Rule: repaymentsDoesNotAffectThirdParty - confirms that a borrower's repayment activity does not inadvertently affect the financial obligations or collateral standings of any unrelated third parties, preserving the isolation and accuracy of individual account statuses within the system.

  1. Rule: repaymentsRevertingConditions - check if the operation correctly reverts under specified conditions, ensuring adherence to defined contractual behaviors and safeguards.

  1. Rule: liquidatorCoverExposureIntegrity - validates the integrity of a liquidation process where a liquidator covers the exposure of a borrower using purchase tokens. It checks that balances and obligations adjust correctly, reflecting the liquidation payment in system totals and individual accounts.

  1. Rule: liquidatorCoverExposureDoesNotAffectThirdParty - ensures that the liquidation process does not inadvertently impact the financial status or obligations of any third parties, maintaining the precision and isolation of account transactions within the system.

  1. Rule: liquidatorCoverExposureRevertConditions - evaluate if the transaction reverts as expected under identified conditions, ensuring compliance with system rules and safeguards.

  1. Rule: liquidatorCoverExposureWithRepoTokenIntegrity - examines the proper functioning of liquidation via repo tokens, verifying that such transactions correctly reduce borrower obligations and adjust system and participant balances in accordance with the repo tokens used in the liquidation.

  1. Rule: liquidatorCoverExposureWithRepoTokenRevertConditions - define conditions that would lead to a transaction revert; aggregate revert conditions to determine expectation; eliquidation attempt with potential revert and validate against expected outcome; ensure actual revert aligns with expectations based on identified conditions.

  1. Rule: openExposureOnRolloverNewIntegrity - ensures that all relevant balances properly accounted for after opening a repoExposure on account of a successful rollover.

  1. Rule: openExposureOnRolloverNewDoesNotAffectThirdParty - verifies that rolling over loan exposures from one account does not affect third-party balances.

  1. Rule: openExposureOnRolloverNewRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: closeExposureOnRolloverExistingIntegrity - ensures that all relevant balances properly accounted for after closing a repoExposure on account of a successful rollover.

  1. Rule: closeExposureOnRolloverExistingDoesNotAffectThirdParty - verifies that rolling over loan exposures from one account does not affect third-party balances.

  1. Rule: closeExposureOnRolloverExistingRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: fulfillOfferIntegrity - ensures repoTokens are properly minted to a user's address when their offer is fulfilled.

  1. Rule: fulfillBidIntegrity - check that the bidder's token balance has decreased and protocol's token balance has increased after fulfillBid.

  1. Rule: fulfillOfferRevertsIfNotValid - ensure that fulfillOffer reverts if not valid.

  1. Rule: fulfillBidRevertsIfNotValid - ensure that fulfillBid reverts if not valid.

  1. Rule: fulfillOfferDoesNotAffectThirdParty - verifies that fulfilling an offer belonging to one account does not affect the third party balances.

  1. Rule: fulfillBidDoesNotAffectThirdParty - verifies that fulfilling a bid belonging to from one account does not affect the third party balances.

  1. Rule: lockOfferAmountIntegrity - ensures purchase tokens are properly deducted from a user's address when they lock an offer.

  1. Rule: unlockOfferAmountIntegrity - ensures purchase tokens are properly transferred to a user's address when they unlock an offer.

  1. Rule: lockOfferAmountDoesNotAffectThirdParty - verifies that locking an offer belonging to one account does not affect the third party balances.

  1. Rule: unlockOfferAmountDoesNotAffectThirdParty - verifies that unlocking an offer belonging to one account does not affect the third party balances..

  1. Rule: lockOfferAmountRevertsWhenInvalid - ensure that locking offers reverts if not valid

  1. Rule: unlockOfferAmountRevertsWhenInvalid - ensure that unlocking offers reverts if not valid

  1. Rule: onlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: onlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermRepoCollateralManager.sol

  1. Rule: auctionLockCollateralIntegrity - ensures that all relevant balances are properly reflected on account of locking collateral when calling auctionLockCollateral

  1. Rule: auctionLockCollateralThirdParty - verifies that locking collateral belonging to one account when calling lockBid does not affect the third party balances

  1. Rule: auctionLockCollateralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: auctionUnlockCollateralIntegrity - ensures that all relevant balances are properly reflected on account of locking collateral when calling auctionUnlockCollateral

  1. Rule: auctionUnlockCollateralThirdParty - verifies that unlocking collateral belonging to one account when calling auctionUnlockCollateral does not affect the third party balances

  1. Rule: auctionUnlockCollateralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: journalBidCollateralToCollateralManagerIntegrity - ensures that all relevant balances are properly reflected on account of locking collateral when fulfilling a bid.

  1. Rule: journalBidCollateralToCollateralManagerThirdParty - verifies that journaling collateral to the lockedCollateralLedger when fulfilling a bid belonging to one account does not affect the third party balances.

  1. Rule: journalBidCollateralToCollateralManagerRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: externalLockCollateralIntegrity - ensures that all relevant balances are properly reflected on account of locking collateral when calling externalLockCollateral.

  1. Rule: externalLockCollateralThirdParty - verifies that locking collateral belonging to one account when calling externalLockCollateral does not affect the third party balances

  1. Rule: externalLockCollateralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: externalUnlockCollateralIntegrity - ensures that all relevant balances are properly reflected on account of locking collateral when calling externalUnlockCollateral.

  1. Rule: externalUnlockCollateralThirdParty - verifies that unlocking collateral belonging to one account when calling externalUnlockCollateraldoes not affect the third party balances

  1. Rule: externalUnlockCollateralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: lockerCollateralTokenBalanceGreaterThanCollateralLedgerBalance - verifies the assumption that total collateral token balances is always less than or equal to the balance recorded in ledger

  1. Rule: onlyAllowedMethodsMayChangeEncumberedCollateralBalances - verifies that changes to the balances of encumbered collateral to specific methods, ensuring that such modifications are controlled and intentional.

  1. Rule: encumberedCollateralBalancesNeverOverflows - ensure that encumberedCollateralBalances never overflows

  1. Rule: noMethodsChangeTermRepoId - verifies that termRepoIds are immutable.

  1. Rule: noMethodsChangeNumOfAcceptedCollateralTokens - verifies that the number of accepted collateral tokens are immutable.

  1. Rule: noMethodsChangeDeMinimisMarginThreshold - verifies that the deminimisMarginThreshold is immutable.

  1. Rule: noMethodsChangeLiquidateDamagesDueToProtocol - verifies that the liquidated damages due to protocol is immutable.

  1. Rule: noMethodsChangeNetExposureCapOnLiquidation - verifies that the netExposureCapOnLiquidation parameter of a termRepo is immutable.

  1. Rule: noMethodsChangePurchaseToken - verifies that the purchaseToken associated with a termRepo is immutable.

  1. Rule: onlyAllowedMethodsChangeTermContracts - verifies that changes to term contracts addresses are restricted to certain allowed methods.

  1. Rule: noMethodsChangeMaintenanceCollateralRatios - verifies that maintenance collateral ratios associated with a termRepo are immutable.

  1. Rule: noMethodsChangeInitialCollateralRatios - verifies that initial collateral ratios associated with a termRepo are immutable.

  1. Rule: noMethodsChangeLiquidatedDamages - verifies that liquidated damages associated with a termRepo are immutable.

  1. Rule: onlyAllowedMethodsChangeLockedCollateralLedger - verifies that changes t othe collateral ledger is restricted to certain approved methods.

  1. Rule: sumOfCollateralBalancesLessThanEncumberedBalances - verifes the assumption that the total sum of all collateral balances is always less than the encumbered collateral balance.

  1. Rule: batchLiquidationSuccessfullyLiquidates - assert that the locker's balances, the liquidator's balances and protocol reserve's balances have changed by the correct amount after bathLiquidate

  1. Rule: batchLiquidateWithRepoTokenSuccessfullyLiquidates - assert that the locker's balances, liquidators balances and protocol reserve blances have changed by the correct amount after calling batchLiquidatedWithRepoToken

  1. Rule: batchDefaultSuccessfullyDefaults - assert that the locker's balances, liquidator's balances and protocol reserve balances have changed by the correct amount after callingbatchDefault

  1. Rule: batchLiquidationDoesNotAffectThirdParty - verifies that liquidating collateral belonging to one account does not affect the third party balances.

  1. Rule: batchLiquidationWithRepoTokenDoesNotAffectThirdParty - verifies that liquidating collateral using batchLiquidationWithRepoToken belonging to one account does not affect the third party balances.

  1. Rule: batchDefaultDoesNotAffectThirdParty - verifies that liquidating collateral belonging to one account when calling batchDefault does not affect the third party balances.

  1. Rule: batchLiquidationRevertsIfInvalid - ensures that batchLiquidate reverts if not valid.

  1. Rule: batchLiquidationWithRepoTokenRevertsIfInvalid - ensure that batchLiquidateWithRepoToken reverts if not valid.

  1. Rule: batchDefaultRevertsIfInvalid - ensure that batchDefault reverts if not valid.

  1. Rule: onlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: onlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermRepoRolloverManager

  1. Rule: noMethodsChangeTermRepoId - ensures that the termRepoId is immutable.

  1. Rule: onlyAllowedMethodsChangeTermContracts - verifies that changes to term contracts addresses are restricted to certain allowed methods.

  1. Rule: onlyAllowedMethodsChangeApprovedRolloverAuctionBidLockers - verifies that changes to approved rollover contracts are restricted to certain allowed methods.

  1. Rule: onlyAllowedMethodsChangeRolloverElections - verifies that changes to rollover elections are restricted to certain allowed methods.

  1. Rule: electRolloverIntegrity - ensures that all relevant balances are properly reflected when electing to roll-over a loan.

  1. Rule: electRolloverDoesNotAffectThirdParty - verifies that the action of one account electing to roll over their loan does not impact third-party balances.

  1. Rule: electRolloverRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: cancelRolloverIntegrity - ensures that all relevant balances are properly reflected when cancelling a roll-over election.

  1. Rule cancelRolloverDoesNotAffectThirdParty - verifies that the action of one account cancelling their roll over election does not impact third-party balances.

  1. Rule: cancelRolloverRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: fulfillRolloverIntegrity - ensures that a rollover election is properly marked as processed when fulfilled.

  1. Rule: fulfillRolloverDoesNotAffectThirdParty - verifies that fulfilling a rollover election submitted by one account does not affect the third party balances

  1. Rule: fulfillRolloverRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: onlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: onlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermAuctionBidLocker

  1. Rule: PauseLockingCausesBidLockingToRevert - verifies that pausing locking reverts any attempts at locking bids.

  1. Rule: UnpauseLockingAllowsBidLocking - verifies that unpausing locking allows users to lock bids.

  1. Rule: PauseUnlockingCausesBidUnlockingToRevert - verifies that pausing unlocking reverts any attempts at unlocking offers.

  1. Rule: UnpauseUnlockingAllowsBidUnlocking - verifies that unpausing locking allows users to unlock bids.

  1. Rule: lockerCollateralTokenBalanceGreaterThanCollateralLedgerBalance - verified the assumption that the total amount of collateral locked is always greater than or equal to the amount recorded in ledger.

  1. Invariant: LockedBidIdAlwaysMatchesIndex - verifies the assumption that the bidId matches the ledger.

  1. Invariant: BidCountAlwaysMatchesNumberOfStoredBids - verifies the assumption that the bidCount matches the ledger.

  1. Rule: LockBidsIntegrity - ensures that collateral token balances are properly transferred to the repo locker when locking bids.

  1. Rule: LockBidsDoesNotAffectThirdParty - verifies that locking bids belonging to one account does not affect the third party balances.

  1. Rule: lockBidsMonotonicBehavior - verifies that locking a bid is monotonically increasing in the bid count.

  1. Rule: LockBidsRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: lockBidsWithReferralIntegrity - ensures that collateral token balances are properly transferred to the repo locker when locking bids with a referral.

  1. Rule: lockBidsWithReferralDoesNotAffectThirdParty - verifies that locking bids belonging to one account when calling lockBidsWithReferral does not affect the third party balances.

  1. Rule: lockBidsWithReferralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: lockBidsWithReferralMonotonicBehavior - verifies that locking a bid with referral is monotonically increasing in the bid count.

  1. Rule: UnlockBidsIntegrity - ensures that collateral token balances are properly transferred from the repo locker to the user when unlocking bids.

  1. Rule: UnlockBidsDoesNotAffectThirdParty - verifies that unlocking bids belonging to one account does not affect the third party balances.

  1. Rule: UnlockBidsRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: UnlockBidsMonotonicBehavior - verifies that unlocking a bid is monotonically decreasing in the bid count.

  1. Rule: AuctionUnlockBidIntegrity - ensures that collateral token balances are properly transferred from the repo locker to the user when unlocking bids.

  1. Rule: AuctionUnlockBidDoesNotAffectThirdParty - verifies that unlocking bids belonging to one account does not affect the third party balances.

  1. Rule: AuctionUnlockBidRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: AuctionUnlockBidMonotonicBehavior - verifies that auctionUnlockCollateral monotonically decreases the bid count.

  1. Rule: RevealBidsIntegrity - ensures that prices are revealed when revealing bids.

  1. Rule: RevealBidsDoesNotAffectThirdParty - verifies that revealing a bid belonging to one account does not affect the third party balances.

  1. Rule: RevealBidsRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: RevealBidsMonotonicBehavior - verifies that revealBids does not change the bid count.

  1. Rule: OnlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: OnlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermAuctionOfferLocker

  1. Rule: PauseLockingCausesOfferLockingToRevert - verifies that pausing locking reverts any attempts at locking offers.

  1. Rule: UnpauseLockingAllowsOfferLocking - verifies that unpausing locking allows users to lock offers.

  1. Rule: PauseUnlockingCausesOfferUnlockingToRevert - verifies that pausing unlocking reverts any attempts at unlocking offers.

  1. Rule: UnpauseUnlockingAllowsOfferUnlocking - verifies that unpausing unlocking allows users to unlock offers.

  1. Invariant: LockedOfferIdAlwaysMatchesIndex - verifies the assumption that the offerId matches the ledger.

  1. Invariant: OfferCountAlwaysMatchesNumberOfStoredOffers - verifies the assumption that the offerCount always matches the ledger.

  1. Rule: lockerPurchaseTokenBalanceGreaterThanOfferLedgerBalance - verifies the assumption that total purchaseToken balances are always greater than or equal to the amount recorded in ledger.

  1. Rule: LockOffersIntegrity - ensures that purchase token balances are properly transferred to the repo locker when locking offers.

  1. Rule: LockOffersDoesNotAffectThirdParty - verifies that locking offers belonging to one account does not affect the third party balances.

  1. Rule: LockOffersMonotonicBehavior - verifies that locking offers is monotonically increasing in the offer count.

  1. Rule: LockOffersRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: LockOffersWithReferralIntegrity - ensures that purchase token balances are properly transferred to the repo locker when locking offers with referral.

  1. Rule: LockOffersWithReferralDoesNotAffectThirdParty - verifies that locking offers belonging to one account when calling lockOffersWithReferral does not affect the third party balances

  1. Rule: LockOffersWithReferralRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: LockOffersWithReferralMonotonicBehavior - verifies that locking offers with referral is monotonically increasing in the offer count.

  1. Rule: UnlockOffersIntegrity - ensures that purchase token balances are properly transferred to user when unlocking offers.

  1. Rule: UnlockOffersDoesNotAffectThirdParty - verifies that unlocking offers belonging to one account does not affect the third party balances

  1. Rule: UnlockOffersRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: UnlockOffersMonotonicBehavior - verifies that unlocking offers is monotonically decreasing in the offer count.

  1. Rule: UnlockOfferPartialIntegrity - ensures that purchase token balances are properly transferred to user when partially unlocking offers.

  1. Rule: UnlockOfferPartialDoesNotAffectThirdParty - verifies that partially unlocking offers belonging to one account does not affect the third party balances

  1. Rule: UnlockOfferPartialRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: UnlockOfferPartialMonotonicBehavior - verifies that partially unlocking offers does not change the offer count.

  1. Rule: RevealOffersIntegrity - ensures that prices are revealed when revealing offers.

  1. Rule: RevealOffersDoesNotAffectThirdParty - verifies that revealing offers belonging to one account does not affect the third party balances

  1. Rule: RevealOffersRevertConditions- check for revert under the defined expected conditions, ensuring operation adherence to defined rules.

  1. Rule: RevealOffersMonotonicBehavior - verifies that revealing offers does not change the offer count.

  1. Rule: OnlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: OnlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

TermAuction

  1. Rule: OnlyRoleCanCallRevert - checks if a method call requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: OnlyRoleCanCallStorage - ensures that changes to storage by non-view method calls can only be performed by addresses with specific roles, guarding against unauthorized modifications.

  1. Rule: OnlyRoleCanCallRevertCompleteAuction and OnlyRoleCanCallStorageCompleteAuction - verifies that the completeAuction call where unrevealed bids exists requires specific roles to execute successfully, does not revert if the caller has the necessary role.

  1. Rule: OnlyRoleCanCallStorageCompleteAuction - ensures that changes to storage by the completeAuction call where unrevealed bids exists can only be performed by addresses with the admin role, guarding against unauthorized auction clearing where unrevealed bids exist.

Getting Started

Install certora-cli package with pip install certora-cli. To verify specification files, pass to certoraRun the corresponding configuration file in the [certora/confs](<https://github.com/morpho-org/morpho-blue/blob/2ffb6821815ec542c78e0d0379b5e7094d6fd37a/certora/confs>) folder. It requires having set the CERTORAKEY environment variable to a valid Certora key. You can also pass additional arguments, notably to verify a specific rule. For example, at the root of the repository:

Last updated