Merge pull request #178 from morpho-org/colin@verif/bundler-safety

[Certora] Check Bundler safety

Author: colin-morpho

.github/actions/install/action.yml

@@ -17,3 +17,6 @@ runs:
         restore-keys: |
           forge-${{ github.base_ref }}
           forge-
+
+    - name: Install jq
+      uses: sergeysova/jq-action@v2

.github/workflows/certora.yml

@@ -0,0 +1,46 @@
+name: Certora
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+      matrix:
+        conf:
+          - Bundler
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ">=3.11"
+
+      - name: Install certora
+        run: pip install certora-cli
+
+      - name: Install solc (0.8.28)
+        run: |
+          wget https://github.com/ethereum/solidity/releases/download/v0.8.28/solc-static-linux
+          chmod +x solc-static-linux
+          sudo mv solc-static-linux /usr/local/bin/solc-0.8.28
+
+      - name: Apply munging
+        run: make -C certora munged
+
+      - name: Verify ${{ matrix.conf }} specification
+        run: certoraRun certora/confs/${{ matrix.conf }}.conf
+        env:
+          CERTORAKEY: ${{ secrets.CERTORAKEY }}

.github/workflows/formatting.yml

@@ -23,3 +23,5 @@ jobs:
 
       - name: Run Linter
         run: find ./ -type f -name '*.sol' -exec perl -pi -e 's/transient //g' {} + && forge fmt --check
+      - name: Run Certora Config Linter
+        run: for file in certora/confs/*.conf; do diff <(jq < "$file") "$file"; done

.gitignore

@@ -21,3 +21,7 @@ data/
 broadcast/
 
 *.log
+
+# Certora
+.certora_internal
+munged/

certora/Makefile

@@ -0,0 +1,14 @@
+munged: ../munged
+
+../munged: $(wildcard ../src/*.sol) applyMunging.patch
+	@rm -rf ../munged
+	@cp -r ../src ../munged
+	@patch -p0 -d ../munged < applyMunging.patch
+
+record:
+	diff -ruN ../src ../munged | sed -E 's,\.\./src/|\.\./munged/,,g' | sed -E 's,((\-\-\-|\+\+\+) [^[:space:]]*).*,\1,' > applyMunging.patch
+
+clean:
+	rm -rf ../munged
+
+.PHONY: clean record munged # Do not add ../munged here, as it is useful to protect munged edits

certora/README.md

@@ -0,0 +1,42 @@
+# Bundler V3 formal verification
+
+This folder contains the [CVL](https://docs.certora.com/en/latest/docs/cvl/index.html) specification and verification setup for the [Bundler](../src/Bunlder.sol) V3.
+
+## Getting started
+
+The verification is performed on modified source files, which can generated with the command:
+
+```
+make -C certora munged
+```
+
+This project depends on several [Solidity](https://soliditylang.org/) versions which are required for running the verification.
+The compiler binaries should be available at the paths:
+
+- `solc-0.8.19` for the solidity compiler version `0.8.19`;
+- `solc-0.8.28` for the solidity compiler version `0.8.28`.
+
+To verify a specification, run the command `certoraRun Spec.conf` where `Spec.conf` is the configuration file of the matching CVL specification.
+Configuration files are available in [`certora/confs`](confs).
+Please ensure that `CERTORAKEY` is set up in your environment.
+
+## Overview
+
+The Bundler contract enables an EOA to call different endpoint contracts onchain as well as grouping several calls in a single bundle.
+These calls may themselves reenter the bundler.
+
+### Bundler
+
+This is checked in [`Bundler.spec`](specs/Bundler.spec).
+
+## Verification architecture
+
+### Folders and file structure
+
+The [`certora/specs`](specs) folder contains the following files:
+
+- [`Bundler.spec`](specs/Bundler.spec) checks that Bundler entry points behave as expected.
+
+The [`certora/confs`](confs) folder contains a configuration file for each corresponding specification file.
+
+The [`certora/Makefile`](Makefile) is used to track and perform the required modifications on source files.

certora/applyMunging.patch

@@ -0,0 +1,86 @@
+diff -ruN Bundler.sol Bundler.sol
+--- Bundler.sol
++++ Bundler.sol
+@@ -15,10 +15,37 @@
+     /* TRANSIENT STORAGE */
+ 
+     /// @notice The initiator of the multicall transaction.
+-    address public transient initiator;
++    //address public transient initiator;
++    function setInitiator(address _initiator) internal {
++        assembly ("memory-safe") {
++            // keccak256("Morpho Bundler Initiator Slot")
++            tstore(0x33a59cbcc71c90d612d5afca82f27022cd1319f49b953968504d8209c045bd1f, _initiator)
++        }
++    }
++
++    function initiator() public view returns (address _initiator) {
++        assembly ("memory-safe") {
++            // keccak256("Morpho Bundler Initiator Slot")
++            _initiator := tload(0x33a59cbcc71c90d612d5afca82f27022cd1319f49b953968504d8209c045bd1f)
++        }
++    }
+ 
+     /// @notice Hash of the concatenation of the sender and the hash of the calldata of the next call to `reenter`.
+-    bytes32 public transient reenterHash;
++    //bytes32 public transient reenterHash;
++
++    function setReenterHash(bytes32 _reenterHash) internal {
++        assembly ("memory-safe") {
++            // keccak256("Morpho Bundler Reenter Hash Slot")
++            tstore(0xf76fe07d24a8fe20766ea4a3e6e9805bd23d7cda61e69a0df6c4774484a4adf8, _reenterHash)
++        }
++    }
++
++    function reenterHash() public view returns (bytes32 _reenterHash) {
++        assembly ("memory-safe") {
++            // keccak256("Morpho Bundler Reenter Hash Slot")
++            _reenterHash := tload(0xf76fe07d24a8fe20766ea4a3e6e9805bd23d7cda61e69a0df6c4774484a4adf8)
++        }
++    }
+ 
+     /* EXTERNAL */
+ 
+@@ -26,13 +53,13 @@
+     /// @dev Locks the initiator so that the sender can be identified by other contracts.
+     /// @param bundle The ordered array of calldata to execute.
+     function multicall(Call[] calldata bundle) external payable {
+-        require(initiator == address(0), ErrorsLib.AlreadyInitiated());
++        require(initiator() == address(0), ErrorsLib.AlreadyInitiated());
+ 
+-        initiator = msg.sender;
++        setInitiator(msg.sender);
+ 
+         _multicall(bundle);
+ 
+-        initiator = address(0);
++        setInitiator(address(0));
+     }
+ 
+     /// @notice Executes a sequence of calls.
+@@ -41,7 +68,7 @@
+     /// @param bundle The ordered array of calldata to execute.
+     function reenter(Call[] calldata bundle) external {
+         require(
+-            reenterHash == keccak256(bytes.concat(bytes20(msg.sender), keccak256(msg.data[4:]))),
++            reenterHash() == keccak256(bytes.concat(bytes20(msg.sender), keccak256(msg.data[4:]))),
+             ErrorsLib.IncorrectReenterHash()
+         );
+         _multicall(bundle);
+@@ -57,13 +84,13 @@
+         for (uint256 i; i < bundle.length; ++i) {
+             address to = bundle[i].to;
+             bytes32 callbackHash = bundle[i].callbackHash;
+-            if (callbackHash == bytes32(0)) reenterHash = bytes32(0);
+-            else reenterHash = keccak256(bytes.concat(bytes20(to), callbackHash));
++            if (callbackHash == bytes32(0)) setReenterHash(bytes32(0));
++            else setReenterHash(keccak256(bytes.concat(bytes20(to), callbackHash)));
+ 
+             (bool success, bytes memory returnData) = to.call{value: bundle[i].value}(bundle[i].data);
+             if (!bundle[i].skipRevert && !success) UtilsLib.lowLevelRevert(returnData);
+ 
+-            require(reenterHash == bytes32(0), ErrorsLib.MissingExpectedReenter());
++            require(reenterHash() == bytes32(0), ErrorsLib.MissingExpectedReenter());
+         }
+     }
+ }

certora/confs/Bundler.conf

@@ -0,0 +1,13 @@
+{
+  "files": [
+    "munged/Bundler.sol"
+  ],
+  "solc": "solc-0.8.28",
+  "verify": "Bundler:certora/specs/Bundler.spec",
+  "rule_sanity": "basic",
+  "server": "production",
+  "msg": "Bundler V3",
+  "loop_iter": "3",
+  "optimistic_loop": true,
+  "optimistic_hashing": true
+}

certora/specs/Bundler.spec

@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+
+using Bundler as Bundler;
+
+methods {
+    function initiator() external returns address envfree;
+    function reenterHash() external returns bytes32 envfree;
+}
+
+// True when `multicall` has been called.
+persistent ghost bool multicallCalled;
+
+// True when `reenter` has been called.
+persistent ghost bool reenterCalled;
+
+hook CALL(uint g, address addr, uint value, uint argsOffset, uint argsLength, uint retOffset, uint retLength) uint rc {
+    if (selector == sig:multicall(Bundler.Call[]).selector) {
+       multicallCalled = true;
+    } else if (selector == sig:reenter(Bundler.Call[]).selector) {
+       reenterCalled = true;
+    }
+}
+
+// Check that reentering is possible only if `multicall` has been called.
+rule reenterAfterMulticall(method f, env e, calldataarg data) {
+
+    // Set up the initial state.
+    require !multicallCalled;
+    require !reenterCalled;
+    // Safe require since it's transiently stored so it's nullified after a reentrant call.
+    require reenterHash() == to_bytes32(0);
+
+    // Capture the first method call which is not performed with a CALL opcode.
+    if (f.selector == sig:multicall(Bundler.Call[]).selector) {
+       multicallCalled = true;
+    } else if (f.selector == sig:reenter(Bundler.Call[]).selector) {
+       reenterCalled = true;
+    }
+
+    f@withrevert(e,data);
+
+    // Avoid failing vacuity checks, either the proposition is true or the execution reverts.
+    assert !lastReverted => (reenterCalled => multicallCalled);
+}
+
+// Check that non zero initiator will trigger a revert upon a multicall.
+rule nonZeroInitiatorRevertsMulticall(env e, Bundler.Call[] bundle) {
+    address initiatorBefore = initiator();
+
+    multicall@withrevert(e, bundle);
+
+    assert initiatorBefore != 0 => lastReverted;
+}
+
+// Check that a null reenterHash will trigger a revert upon reentering the bundler.
+rule zeroReenterHashRevertsReenter(env e, Bundler.Call[] bundle) {
+    bytes32 reenterHashBefore = reenterHash();
+
+    reenter@withrevert(e, bundle);
+
+    assert reenterHashBefore == to_bytes32(0) => lastReverted;
+}