zama-ai · Seth-Schmidt · Feb 26, 2026 · Mar 3, 2026 · Mar 4, 2026 · Mar 4, 2026
@@ -62,6 +62,7 @@ contracts-exposed
 # Foundry
 /out
 /cache_forge
+/lib/forge-std
 
 yarn.lock
 fhevmTemp
@@ -1,5 +1,22 @@
 [profile.default]
 src = 'contracts'
-libs = ['node_modules']
+out = 'out'
+test = 'test/foundry'
+cache_path = 'cache_forge'
+libs = ['lib', 'node_modules'] 
 solc = '0.8.27'
-optimizer_runs = 200
+optimizer = true
+optimizer_runs = 800
+evm_version = 'cancun'
+
+remappings = [
+    'forge-std/=lib/forge-std/src/',
+    '@openzeppelin/contracts/=node_modules/@openzeppelin/contracts/',
+    '@openzeppelin/contracts-upgradeable/=node_modules/@openzeppelin/contracts-upgradeable/',
+    'token/=../token/',
+]
+
+[invariant]
+runs = 4096
+depth = 100
+fail_on_revert = true
@@ -15,6 +15,8 @@
     "lint:sol": "prettier --loglevel warn '{contracts,test}/**/*.sol' --check && solhint --config solhint.config.js '{contracts,test}/**/*.sol'",
     "lint:sol:fix": "solhint --config solhint.config.js '{contracts,test}/**/*.sol' --fix; prettier --loglevel warn '{contracts,test}/**/*.sol' --write",
     "test": "hardhat test",
+    "test:fuzz": "forge test",
+    "test:fuzz:verbose": "forge test -vvv",
     "test:tasks": "hardhat test:tasks",
     "test:gas": "REPORT_GAS=true hardhat test",
     "test:pragma": "npm run compile && scripts/checks/pragma-validity.js artifacts/build-info/*",

@@ -0,0 +1,144 @@
+// SPDX-License-Identifier: MIT
+pragma solidity ^0.8.27;
+
+import {Test} from "forge-std/Test.sol";
+import {ProtocolStakingHarness} from "./harness/ProtocolStakingHarness.sol";
+import {ERC1967Proxy} from "@openzeppelin/contracts/proxy/ERC1967/ERC1967Proxy.sol";
+import {ZamaERC20} from "token/contracts/ZamaERC20.sol";
+import {ProtocolStakingHandler} from "./handlers/ProtocolStakingHandler.sol";
+import {IERC20} from "@openzeppelin/contracts/token/ERC20/IERC20.sol";
+
+// Invariant fuzz test for ProtocolStaking
+contract ProtocolStakingInvariantTest is Test {
+    ProtocolStakingHarness internal protocolStaking;
+    ZamaERC20 internal zama;
+    ProtocolStakingHandler internal handler;
+
+    address internal governor = address(1);
+    address internal manager = address(2);
+    address internal admin = address(3);
+
+    uint256 internal constant ACTOR_COUNT = 5;
+    uint256 internal constant INITIAL_TOTAL_SUPPLY = 1_000_000 ether;
+    uint256 internal constant INITIAL_REWARD_RATE = 1e18; // 1 token/second
+    uint48 internal constant INITIAL_UNSTAKE_COOLDOWN_PERIOD = 1 seconds;
+
+    function setUp() public {
+        address[] memory actorsList = new address[](ACTOR_COUNT);
+        for (uint256 i = 0; i < ACTOR_COUNT; i++) {
+            actorsList[i] = address(uint160(4 + i));
+        }
+
+        // Deploy ZamaERC20, mint to all actors, admin is DEFAULT_ADMIN
+        uint256 initialActorBalance = INITIAL_TOTAL_SUPPLY / ACTOR_COUNT;
+        address[] memory receivers = new address[](ACTOR_COUNT);
+        uint256[] memory amounts = new uint256[](ACTOR_COUNT);
+        for (uint256 i = 0; i < ACTOR_COUNT; i++) {
+            receivers[i] = actorsList[i];
+            amounts[i] = initialActorBalance;
+        }
+
+        zama = new ZamaERC20("Zama", "ZAMA", receivers, amounts, admin);
+
+        // Deploy ProtocolStaking behind ERC1967 proxy
+        ProtocolStakingHarness impl = new ProtocolStakingHarness();
+        bytes memory initData = abi.encodeCall(
+            protocolStaking.initialize,
+            (
+                "Staked ZAMA",
+                "stZAMA",
+                "1",
+                address(zama),
+                governor,
+                manager,
+                INITIAL_UNSTAKE_COOLDOWN_PERIOD,
+                INITIAL_REWARD_RATE
+            )
+        );
+        ERC1967Proxy proxy = new ERC1967Proxy(address(impl), initData);
+        protocolStaking = ProtocolStakingHarness(address(proxy));
+
+        // Grant MINTER_ROLE on Zama to ProtocolStaking
+        vm.startPrank(admin);
+        zama.grantRole(zama.MINTER_ROLE(), address(protocolStaking));
+        vm.stopPrank();
+
+        // Approve ProtocolStaking for all actors
+        for (uint256 i = 0; i < ACTOR_COUNT; i++) {
+            vm.prank(actorsList[i]);
+            zama.approve(address(protocolStaking), type(uint256).max);
+        }
+
+        // Deploy handler with actors list
+        handler = new ProtocolStakingHandler(protocolStaking, zama, manager, actorsList);
+        targetContract(address(handler));
+
+        bytes4[] memory selectors = new bytes4[](12);
+        selectors[0] = ProtocolStakingHandler.warp.selector;
+        selectors[1] = ProtocolStakingHandler.setRewardRate.selector;
+        selectors[2] = ProtocolStakingHandler.addEligibleAccount.selector;
+        selectors[3] = ProtocolStakingHandler.removeEligibleAccount.selector;
+        selectors[4] = ProtocolStakingHandler.stake.selector;
+        selectors[5] = ProtocolStakingHandler.unstake.selector;
+        selectors[6] = ProtocolStakingHandler.claimRewards.selector;
+        selectors[7] = ProtocolStakingHandler.release.selector;
+        selectors[8] = ProtocolStakingHandler.unstakeThenWarp.selector;
+        selectors[9] = ProtocolStakingHandler.stakeEquivalenceScenario.selector;
+        selectors[10] = ProtocolStakingHandler.unstakeEquivalenceScenario.selector;
+        selectors[11] = ProtocolStakingHandler.setUnstakeCooldownPeriod.selector;
+        targetSelector(FuzzSelector({addr: address(handler), selectors: selectors}));
+    }
+
+    function invariant_TotalStakedWeightEqualsEligibleWeights() public view {
+        assertEq(
+            protocolStaking.totalStakedWeight(),
+            handler.computeExpectedTotalWeight(),
+            "totalStakedWeight does not match sum of eligible weights"
+        );
+    }
+
+    function invariant_TotalSupplyBoundedByRewardRate() public view {
+        assertLe(
+            zama.totalSupply(),
+            // TODO: Occasional Off-by-one error in the ghost total supply calculation, need to locate the source of the error
+            // adding small buffer of 1 wei to account for this for now
+            handler.ghost_initialTotalSupply() + handler.ghost_accumulatedRewardCapacity() + 1,
+            "totalSupply exceeds piecewise rewardRate bound"
+        );
+    }
+
+    function invariant_RewardDebtConservation() public view {
+        uint256 tolerance = handler.REWARD_DEBT_CONSERVATION_TOLERANCE();
+        int256 lhs = handler.computeRewardDebtLHS();
+        // When the system is empty, net debt across all users should net out to 0
+        // Σ _paid[account] + Σ earned(account) = 0
+        // Using ApproxEqAbs per contract comment: "Accounting rounding may have a marginal impact on earned rewards (dust)."
+        if (protocolStaking.totalStakedWeight() == 0) {
+            assertApproxEqAbs(lhs, 0, tolerance, "Net reward debt must be 0 when no one is staked");
+            return;
+        }
+        int256 rhs = handler.computeRewardDebtRHS();
+        assertApproxEqAbs(lhs, rhs, tolerance, "reward debt conservation");
+    }
+
+    function invariant_PendingWithdrawalsSolvency() public view {
+        address token = protocolStaking.stakingToken();
+        uint256 balance = IERC20(token).balanceOf(address(protocolStaking));
+        uint256 sumAwaitingRelease;
+        for (uint256 i = 0; i < handler.actorsLength(); i++) {
+            sumAwaitingRelease += protocolStaking.awaitingRelease(handler.actorAt(i));
+        }
+        assertGe(balance, sumAwaitingRelease, "pending withdrawals solvency");
+    }
+
+    function invariant_StakedFundsSolvency() public view {
+        for (uint256 i = 0; i < handler.actorsLength(); i++) {
+            address account = handler.actorAt(i);
+            uint256 totalStaked = handler.ghost_totalStaked(account);
+            uint256 balance = protocolStaking.balanceOf(account);
+            uint256 awaiting = protocolStaking.awaitingRelease(account);
+            uint256 released = handler.ghost_totalReleased(account);
+            assertEq(totalStaked, balance + awaiting + released, "staked funds solvency");
+        }
+    }
+}